Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Sending Single Input To Multiple Indexes: Works Sometimes

jpass
Contributor
‎10-19-2013 07:20 PM
  • I have a scripted input with events that I want to send to different indexes based on a string within the event.
  • I do this for easier access control.
  • I control the event format via the script and so have created an easy-to-regex string at the bottom of each event which Splunk should use to route the event.
  • It works but only sometimes. I'll import 10 events and some go to the default index and some go to the routing index.
  • These are multi-line events that are usually about 20 to 50 lines but sometimes up to a few hundred lines (rare)
  • I'm wondering what I'm doing wrong.

Here's my .conf entries

inputs.conf (in a custom application directory /splunk_home/etc/apps/myapp/local/inputs.conf)

[script:///splunk_home/bin/scripts/get_test_multi.pl]
disabled = 0
interval = 60000
source = get_test_multi
sourcetype = test_multi
index=test_index

props.conf (in /splunk_home/etc/system/local/props.conf)

[test_multi]
TRANSFORMS-index=test_index_router
EXTRACT-test_checker = splunk_index :: (?<test_index_field>.*?)\n

transforms.conf (in /splunk_home/etc/system/local/transforms.conf)

[test_index_router]
REGEX = splunk_index :: (?<my_splunk_index>.*?)\n
FORMAT = $1
DEST_KEY = _MetaData:Index

In props.conf you'll notice I extract a field called 'test_index_field' which is the same as the regex I'm using to route the index. I do this just to confirm that I'm correctly extracting the value which works correctly 100% of the time.

  • The events are sent to the correct index only some of the time
  • Events are either routed correctly or sent to the value I designate in inputs.conf for index
  • I've tried removing the entry for index in inputs.conf with the same results only it sends the events to index=main (default)
Reply

jacobwilkins
Communicator
‎11-01-2013 12:59 PM

You might have some whitespace issues with your regex.

Try this:

REGEX = splunk_index :: (\w*)

The concern is that you may be including training whitespace in the capture of your index name, which would be tricksy to debug.

You might also want to try this:

[source::get_test_multi]
TRANSFORMS-index=test_index_router
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...