So after looking at all of our current configurations, it's not our perf logs that are the problem. It's everything else.
When we first got Splunk 4 years ago at our company, perf and N1 were combined and the vast majority of it still is. We are routing logs to specific indexes based on hostname. We did this because the log path for each environment is exactly the same, except for perf, and we didn't want to create several different configuration apps that contained the same log paths. Looking back, I wish we hadn't done that, but it would take a giant effort to rework all of this at this point.
Below is an example of how our current logs are, broken out by host, source and index, and a copy of our transforms.conf:
Host=prod source=/var/appl/logs/mobile-remote_access.log index=company_prod
Host=n1 source=/var/appl/logs/mobile-remote_access.log index=company_perf
Host=n1 source= /var/appl/logs/mobile-remote_access_perf.log index=company_perf
Host=n0 source=/var/appl/logs/mobile-remote_access.log index=company_n
Host=n2a source=/var/appl/logs/mobile-remote_access.log index=company_n2a
Transforms.conf
[index-company_prod]
SOURCE_KEY = MetaData:Host
REGEX = ^host::(prod.[\d]+.*)$
DEST_KEY = _MetaData:Index
FORMAT = company_prod
[index-company_n]
SOURCE_KEY = MetaData:Host
REGEX = ^host::(n0.[\d]+.*)$
DEST_KEY = _MetaData:Index
FORMAT = company_n
[index-company_n2a]
SOURCE_KEY = MetaData:Host
REGEX = ^host::(n2a.[\d]+.*)$
DEST_KEY = _MetaData:Index
FORMAT = company_n2a
[index-company_perf]
SOURCE_KEY = MetaData:Host
REGEX = ^host::(n1.[\d]+.*)$
DEST_KEY = _MetaData:Index
FORMAT = company_perf
In case you're wondering, I have asked our developers to fix this on their end instead, which is just as difficult, if not more difficult, on their end.
... View more