Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

index time transform covering multiple destination indexes

juniormint
Communicator
‎02-13-2014 11:49 AM

I would like filter certain known data events into three different indexes (possibly more in the future).

Events have an embedded field called "AppName". The possible values happen to be the names of my indexes.

Is this the right approach? Does it look correct?
in transforms.conf
[RedirectToAppIndex]
REGEX = .*AppName="(?i)(app1|app2|app3)"
DEST_KEY = _MetaData:Index
FORMAT = $1

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎02-13-2014 12:23 PM

This looks ok.
make sure that the indexes app1 app2 and app3 exists with the proper case.

View solution in original post

Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎02-13-2014 12:23 PM

This looks ok.
make sure that the indexes app1 app2 and app3 exists with the proper case.

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎02-14-2014 09:26 AM

yes, each event has to be compared to the regex and routed, it adds load to the indexing.

0 Karma
Reply
Solved! Jump to solution

juniormint
Communicator
‎02-13-2014 08:46 PM

By that you just mean...index time transforms take time and resources...add complexity, etc. Right?

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎02-13-2014 02:07 PM

But the best solution is still to specify the index at the input level.
If you have distinct inputs per sources of course.

0 Karma
Reply
Solved! Jump to solution

juniormint
Communicator
‎02-13-2014 02:02 PM

Thanks for calling out that they need to exist. This transform is actually part of my strategy for dealing with indexes that logically should exist but haven't yet been created for whatever reason.

All my events from a group of machines have an initial default index defined in the index meta data field (think catchall). The log events can include a preference for destination index by specifying AppName, but if it doesn't exist the log events fall back on the default index.

0 Karma
Reply
Solved! Jump to solution

juniormint
Communicator
‎02-13-2014 01:33 PM

My goal on the matching side was to have the "(?i)" make the regex case-insensitive.

On the index name side, my experience has suggested that the ingestion does not care about case (all my indexes show up in the manager as lower case and events coming in as App1 or aPP1 all make it into app1).

Does that not line up with your experience/understanding?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...