- I have a scripted input with events that I want to send to different indexes based on a string within the event.
- I do this for easier access control.
- I control the event format via the script and so have created an easy-to-regex string at the bottom of each event which Splunk should use to route the event.
- It works but only sometimes. I'll import 10 events and some go to the default index and some go to the routing index.
- These are multi-line events that are usually about 20 to 50 lines but sometimes up to a few hundred lines (rare)
- I'm wondering what I'm doing wrong.
Here's my .conf entries
inputs.conf (in a custom application directory /splunk_home/etc/apps/myapp/local/inputs.conf)
[script:///splunk_home/bin/scripts/get_test_multi.pl]
disabled = 0
interval = 60000
source = get_test_multi
sourcetype = test_multi
index=test_index
props.conf (in /splunk_home/etc/system/local/props.conf)
[test_multi]
TRANSFORMS-index=test_index_router
EXTRACT-test_checker = splunk_index :: (?<test_index_field>.*?)\n
transforms.conf (in /splunk_home/etc/system/local/transforms.conf)
[test_index_router]
REGEX = splunk_index :: (?<my_splunk_index>.*?)\n
FORMAT = $1
DEST_KEY = _MetaData:Index
In props.conf you'll notice I extract a field called 'test_index_field' which is the same as the regex I'm using to route the index. I do this just to confirm that I'm correctly extracting the value which works correctly 100% of the time.
- The events are sent to the correct index only some of the time
- Events are either routed correctly or sent to the value I designate in inputs.conf for index
- I've tried removing the entry for index in inputs.conf with the same results only it sends the events to index=main (default)
