I understand you have to modify the indexes.conf, props.conf, and transforms.conf inside of the $SPLUNK/etc/system/local directory but I am completely lost what to fill in. I have the documentation for each file pulled up but I'm still not getting very far.
The only file I've really changed is the indexes.conf:
[cisco_asa]
sourcetype = cisco:asa
disabled = 0
index = cisco_asa
frozenTimePeriodInSecs = 15800000
EDIT:
I'm trying to separate my ASA to it's own index for different retention policies and a smaller database. The ASA already comes across splunk as "cisco:asa" so I'm mostly trying to match that source type to a index. Although in the future I'd like to start specifying by IP address to an index.
I've made some changes and this is what I have but still no luck:
indexes.conf:
[cisco_asa]
disabled = 0
frozenTimePeriodInSecs = 15800000
props.conf:
[cisco:asa]
TRNASFORMS-8_AssignToIndex = cisco:asa
transforms.conf:
[cisco:asa]
REGEX = .
DEST_KEY = _Metadata:Index
FORMAT = cisco:asa
... View more