forward events to multiple indexers

riqbal · ‎08-26-2018

hi everyone,

I have web server events.
I want to forward specific events that contain digits 404 to index1 and remaining event to index2.
below is an example event:
12.130.60.4 - - [13/Jan/2016 21:03:09:149] "GET /category.screen?category_id=GIFTS&JSESSIONID=SD9SL6FF8ADFF9 HTTP 1.1" 404 3585 "http://www.myflowershop.com/category.screen?category_id=GIFTS" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.38 Safari/533.4" 976

Please advise.

richgalloway · ‎08-26-2018

Try this:

In props.conf:

[mysourcetype]
TRANSFORMS-setIndex = setindex1, setindex2

In transforms.conf:

[setindex1]
DEST_KEY = _MetaData:Index
REGEX = 404
FORMAT = index1

[setindex2]
DEST_KEY = _MetaData:Index
REGEX = .
FORMAT = index2

---
If this reply helps you, Karma would be appreciated.

riqbal · ‎08-26-2018

hi
thanks for your kind support. yesterday I achieved that. below is my working config.

inputs.conf
[monitor:///splunkfiles/lxxx/access_combined.log]
sourcetype = access_combined
index = webindex

props.conf
[access_combined]
TRANSFORMS-local = notfound

Transforms.conf

[notfound]
REGEX = "\s(404)\s
DEST_KEY = _MetaData:Index
FORMAT = notfoundindex

Initially, I used your approach. but it did not work with me.

can you please explain line 8 in transforms.conf.

lastly, we task is to move the events to corresponding indexes before getting indexed(save license). Is this method correct?

forward events to multiple indexers

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability