Thank you very much, the ruleset worked. Currently, I have configured it as follows: inputs.conf [splunktcp://9996] disabled = false connection_host = ip #acceptFrom = 10.128.21.11, 10.128.21.12, 10.128.21.13 _meta = company::smartcity splunktcp::splunktcp://9996 props.conf [default] RULESET-ruleset_test_syslog_firewall = _rule:ruleset_test_syslog_firewall:set_index:smartcity transforms.conf I created an ingest eval that saves the original index into an original_index variable, and then alters the index field, making sure to act only if the splunktcp meta exists and is set to "splunktcp://9996" (which is set in inputs). (Line breaks added for readability): [_rule:ruleset_test_syslog_firewall:set_index:smartcity] INGEST_EVAL = original_index:=index, index:=case( index="axonius" AND splunktcp="splunktcp://9996","main", index="traffic_a2a" AND splunktcp="splunktcp://9996", "main", splunktcp="splunktcp://9996","custom_support_index", true(), index ) I was wondering, is it absolutely mandatory to set the stanza as [default] in props.conf, or is there a way to narrow the scope and have that ruleset apply only to events received via the splunktcp protocol? I would like to avoid overloading the HF (Heavy Forwarder) by applying the rule to all incoming events. Thank you very much! ... View more

Thank you for the response, appreciated. Actually, my situation is slightly different. As mentioned before, I need to receive data from a Splunk instance that we do not control, which is already indexing the data in its own on-prem Splunk environment. The issue is that the index names they send their logs to are generic, whereas I need to name the indices using a specific nomenclature in my Splunk istance. Therefore, I need to intercept their logs and modify the index name that arrives via the cooked data. To test that configuration, I performed a local test. I created a TCP input on port 19999 configured as follows:   [tcp://19999] disabled = false connection_host = ip index = axonius sourcetype = test_syslog_firewall _TCP_ROUTING = test_loopback_9996 A second input configured like this:   [splunktcp://9996] disabled = false connection_host = ip _meta = provenienza::smartcity An outputs.conf configured to forward the logs back to itself on another port, with sendCookedData set to true:   [tcpout:test_loopback_9996] server = 127.0.0.1:9996 # Forcing transmission in standard Splunk ("cooked") mode sendCookedData = true After that, I configured a props.conf: [splunktcp] TRANSFORMS-force_index_main = check_tag_and_set_main_index And the corresponding transforms.conf:   [check_tag_and_set_main_index] SOURCE_KEY = _meta REGEX = provenienza::smartcity DEST_KEY = _MetaData:Index FORMAT = main Then I sent a log to port 19999. The log is indeed successfully routed to test_loopback_9996, a behavior confirmed by the fact that it gets assigned _meta = provenienza::smartcity, but then I cannot get it to change the index. It gets ingested into the axonius index instead of main. I believe the stanza [splunktcp] set in props.conf is not working as expected. Could you give me some tips? Furthermore, while this approach might work for changing the index arbitrarily, what I actually need is to be able to intercept the logs arriving on splunktcp:9996 and dynamically route them. For example: If the incoming index is windows, change it to windows_smartcity. If the incoming index is linux, change it to linux_smartcity, and so on. Right now, I am not sure how to achieve this because my current transform try to intercepts a metadata field (_meta) to change the index. Instead, I need to intercept the incoming index name itself and modify it based on its original value but only for the events arriving through that specific splunktcp port. ... View more

I'm facing the exact same issue for the exact same requirement. Did you ever find a solution over the last 6 years? ... View more