×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
mwilson788
Explorer
Member since: ‎12-15-2014
‎06-05-2020
Community Statistics
Posts 6
Solutions 0
Karma Given 10
Karma Received 3
Member Since ‎12-15-2014
Activity Feed
View All

Re: How to forward all events to a single index, ...

by in Getting Data In
‎01-06-2015 11:32 AM
2 Karma
‎01-06-2015 11:32 AM
2 Karma
I did actually. I just got this to work with a bit of tweaking. Answer here for others who may have this issue: props.conf [default] TRANSFORMS-index = setdefaultindex, setnull transforms.conf [setdefaultindex] REGEX = . DEST_KEY = _MetaData:Index FORMAT = indexname [setnull] REGEX = INFO DEST_KEY = queue FORMAT = nullQueue This was very close to your solution so I give you all the credit jayannah! Thanks so much! ... View more

Re: How to forward all events to a single index, ...

by in Getting Data In
‎01-06-2015 11:05 AM
‎01-06-2015 11:05 AM
Of course. Still tinkering. I appreciate the effort. If you think of anything at all, it would be appreciated. ... View more

Re: How to forward all events to a single index, ...

by in Getting Data In
‎01-06-2015 10:43 AM
1 Karma
‎01-06-2015 10:43 AM
1 Karma
I should say Option 2 is the one I tried. I'm afraid I'm unable to change the inputs.conf file on the UFs as mentioned in Option 1 (I agree this would be ideal). ... View more

Re: How to forward all events to a single index, ...

by in Getting Data In
‎01-06-2015 10:42 AM
‎01-06-2015 10:42 AM
I really thought this might work but alas, the events still poor in. It's like the filter is being ignored completely... ... View more

Re: How to forward all events to a single index, ...

by in Getting Data In
‎01-06-2015 10:21 AM
‎01-06-2015 10:21 AM
Thank you for your response. Actually, the document you reference is what I've been using to the letter. The following was added to props.conf for filtering: [splunkd] TRANSFORMS-null = setnull And to transforms.conf: [setnull] REGEX = \"INFO\" DEST_KEY = queue FORMAT = nullQueue According to the doc, this should work but, does nothing. Am I overlooking something simple here? As a side note, I even went so far as to set priority on the stanzas as a test. No luck there either. ... View more

How to forward all events to a single index, but ...

by in Getting Data In
‎01-06-2015 10:00 AM
‎01-06-2015 10:00 AM
We are currently using props.conf and transforms.conf to combine all non-internal ingest into a single index on our heavy forwarder (coming from 100s of universal forwarders). We are doing so with the following config: props.conf [default] TRANSFORMS-index = setdefaultindex transforms.conf [setdefaultindex] REGEX = . DEST_KEY = _MetaData:Index FORMAT = customindexname All was working well until we decided to start filtering out all splunkd sourcetype events that contain INFO. It seems they are forwarded on regardless of the filter we put in place due to the config above. Is there a way around this? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
View All
Karma given to