Trying to separate leostream "broker" events that come from syslog into it's own separate index called leostream. Why is this not working? They go into the main index. I've tried the regex with and without the parentheses.
<timestamp whatever> Broker: 111.111.111.111 bla bla bla bla
Any help would be great!
indexes.conf
[leostream]
coldPath = $SPLUNK_DB/leostream/colddb
homePath = $SPLUNK_DB/leostream/db
thawedPath = $SPLUNK_DB/leostream/thaweddb
Props.conf
[syslog]
TRANSFORMS-leostream_data = LEOSTREAM
Transforms.conf
[LEOSTREAM]
REGEX = (111.111.111.111)
DEST_KEY = _MetaData:Index
FORMAT = leostream
I have same problem. any solution community ?
No, syslog.conf is set to my indexer over UDP 514. Very basic input setting. No forwarder involved.
I am forwarding syslog logs to central syslog server. then central syslog server is sending logs to UF.
How can I send the logs to specific index
Did you restart the splunk instance after setting this up? Are you sending the syslog data to the indexer directly or to a forwarder?
UF is installed on my syslog server and UF is configured to forward logs to HF.
where should I configure index configuration.