Goal
I wish to place some events into a longer living index "staging-boeing-audit" for audit purposes.
All other events I wish to continue to be indexed as before.
What I have tried
I fabricated a simple example to prove this method will work.
I added a TRANSFORMS-"name" line to my props.conf for a test sourcetype
I added a transforms.conf to regex some events into a new index
I used oneshot to place a test file into Splunk
What happened
All data was placed into the original index "marktransform1"
No events were matched by the transform and thus the target index "staging-boeing-audit" is empty.
My props.conf
root@myhost:/opt/splunk/etc/system/local# cat props.conf
[mectest]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = json
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIMESTAMP_FIELDS = info.created
TIME_FORMAT = %Y-%d-%m %H:%M:%S.%3Q
KV_MODE= none
AUTO_KV_JSON= true
category = Custom
description = added via ui
disabled = false
pulldown_type = 1
TRANSFORMS-routing = route_boeing
My transforms.conf
root@myhost:/opt/splunk/etc/system/local# cat tranforms.conf
[route_boeing]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = staging-boeing-audit
My oneshot command
root@myhost:/opt/splunk/bin# ./splunk add oneshot ulfs.log -sourcetype mectest -index marktransform1
Sample from ulfs.log file
root@myhost:/opt/splunk/bin# tail -2 ulfs.log
{"context": {}, "info": {"name": "starwood.core", "msg": "Got rate from Starwood", "levelname": "INFO", "levelno": 20, "pathname": "/home/ubuntu/envs/airborne/src/tune/tune/utils.py", "filename": "utils.py", "module": "utils", "exc_info": null, "exc_text": null, "stack_info": null, "lineno": 45, "funcName": "debug", "created": "2018-01-10 17:52:12.253", "msecs": 252.66528129577637, "relativeCreated": 33089947.247982025, "thread": 140501375943792, "threadName": "DummyThread-686", "processName": "MainProcess", "process": 21272, "currency": "DKK", "event_type": "get_rate", "message_type": "starwood", "content_type": "profiling", "time": 0.0021333694458007812, "message": "Got rate from Starwood", "asctime": "2018-01-10 09:52:12,252", "loggername": "starwood.core"}}
{"context": {}, "info": {"name": "tune.memory", "msg": "GC status", "levelname": "DEBUG", "levelno": 10, "pathname": "/home/ubuntu/envs/airborne/src/tune/tune/memory.py", "filename": "memory.py", "module": "memory", "exc_info": null, "exc_text": null, "stack_info": null, "lineno": 49, "funcName": "gc_monitor", "created": "2018-01-10 17:52:33.135", "msecs": 135.5295181274414, "relativeCreated": 33110830.112218857, "thread": 140501389641576, "threadName": "DummyThread-1081", "processName": "MainProcess", "process": 22337, "current_collections_count": [86, 1, 30], "current_frames": 5, "enabled": true, "garbage_count": 0, "gc_stats": [{"collections": 26842, "collected": 5718217, "uncollectable": 0}, {"collections": 2440, "collected": 2079011, "uncollectable": 0}, {"collections": 101, "collected": 1168870, "uncollectable": 0}], "max_rss": 351032, "total_objects": 326350, "message": "GC status", "asctime": "2018-01-10 09:52:33,135", "loggername": "tune.memory"}}
... View more