Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to index routing based on the data in raw event?

ainap
Explorer
‎02-18-2022 10:01 AM

I had the following scenario working in one clustered environment, using physical servers:

1. Route data to an index based on the value found in a raw data. 

This is achieved by, using props and transforms conf that are deployed within a parsing app, that looks something like this:

props.conf

[a_somercetype]

TRANSFORMS-index_routing = a_index_routing

[b_sourcetype]
TRANSFORMS-index_routing = b_index_routing

transforms.conf:

[index_routing]
SOURCE_KEY = _raw
REGEX = ^\d{4}\-\d{2}-\d{2}T\d{2}\:\d{2}\:\d{2}\.\d+\+\d{2}\:\d{2}\s\w+\.\w+\.bb\-(?<field1>\w+?)\-
DEST_KEY = _MetaData:Index
FORMAT = index_name_$1

note: field1 is where value a or b will appear

There is also inputs.conf on the deployment server that pushes the config with correct index and sourcetype to the forwarder. This used to work without any issues. In fact still does in one of the clustered environment. But it doesn't work in the new test clustered environment as the data gets sent to main index instead of the indexes specified in props and transforms. Is there a setting on the indexer or elsewhere that could stop this from working?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎02-18-2022 12:33 PM

Just to be on the safe side - a basic question - you put the props/transforms on the first "heavy" component in event's path?

Did you check the resulting config with btool?

View solution in original post

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎02-18-2022 11:08 AM

As a side note - if you're using $1, you don't need to name the group.

But to the point. Generally, it should work. Are you 100% sure that your events in this environment do match the regex?

And is it a mistake in copy-pasting? Because in props.conf you have two differently named transforms and the stanza from transforms.conf is named differently.

0 Karma
Reply
Solved! Jump to solution

ainap
Explorer
‎02-18-2022 11:32 AM

yes, all configuration is exactly the same and is working on one clustered environment but not the other one, which makes no sense. The data is coming in exactly the same format and I can see that regex matches the correct value in the raw event. 

0 Karma
Reply
Solved! Jump to solution

ainap
Explorer
‎02-18-2022 11:39 AM

I should have mentioned earlier that instead of data being routed to the indexes as specified in transforms and props.conf, it is being sent to main.

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎02-18-2022 12:33 PM

Just to be on the safe side - a basic question - you put the props/transforms on the first "heavy" component in event's path?

Did you check the resulting config with btool?

Reply
Solved! Jump to solution

ainap
Explorer
‎02-21-2022 02:05 AM

Thank you for your help. You are right, put props/transforms onto first heavy component, which we didn't. The new set up includes heavy forwarder.  The config was placed as of previous set up in place and not considered new set up. Silly mistake. Thanks.

Tags (1)
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...