indexRouting with customFilters to route based on ...

Ezward · ‎08-27-2021

I would like to use indexRouting to move some log lines to a given index and have other log lines go to athe HEC's default index. The log lines that I want to route are single-line json formatted as a HEC event. Below is a pretty-printed example:

{
  "event":{
    "device":{
      "id":"dcef6f000bc7a6baffc0f0b5f000",
    },
    "logMessage":{
      "description":"Publishing to web socket",
      "domain":"WebSocketChannel",
      "severity":"debug"
    },
    "topic":"com.juneoven.dev.analytics"
  },
  "index":"analytics_logs_dev",
  "level":"INFO",
  "source":"dev.analytics",
  "sourcetype":"analytics-logs",
  "time":1630091106.076237
}

Other log lines are normal text logs (non-json formatted):

2021-08-27 19:09:14,295 INFO [tornado.access] 202 POST /1/analytics/log (10.110.4.224) 35.62ms

I see that there is a customFilter feature. I am hoping that Ican key off of the 'index' field in the HEC event to route these json log lines to their index and allow all other lines to go to the default index for the HEC.

Is that possible? Is there some documentation that would help me? Thanks.

PickleRick · ‎08-30-2021

You can use a transform to rewrite the index metadata field of an event.

https://docs.splunk.com/Documentation/Splunk/latest/admin/transformsconf#KEYS:

So in a props.conf you do

[mysourcetype]
TRANSFORMS-redirect=redirect_to_index2

And in transforms.conf (assuming you want to redirect json events:

[redirect_to_index2]
REGEX = {.*}
FORMAT = index2
DEST_KEY = _MetaData:Index

EDIT: I'm not sure if {} don't need to be escaped in regex.

indexRouting with customFilters to route based on log content

HTTP Event Collector

index

JSON

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!