Hello.
I really hope someone on here will be able to help me out. Long story short: I am having some difficulties renaming an index on some cooked data that is hitting my indexer with transforms.conf and props.conf . I am trying to rename it from bottles to newindex .
On the indexer, I have the following:
$SPLUNK_HOME/etc/system/local/transforms.conf :
[changeindex]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = newindex
$SPLUNK_HOME/etc/system/local/props.conf :
[host::splunk-uf]
TRANSFORMS-index = changeindex
(For what it is worth) $SPLUNK_HOME/etc/system/local/inputs.conf :
[default]
host = splunk-indexer
[splunktcp:9997]
connection_host=none
index = newindex
compressed=true
listenOnIPv6=no
The error Splunk Web on the indexer is giving me when I send logs:
Received event for unconfigured/disabled/deleted index=bottles with source="source::/var/log/messages" host="host::splunk-uf" sourcetype="sourcetype::syslog". So far received events from 1 missing index(es).
I have been sure to restart Splunk!
Any help would be great appreciated. Thanks!
EDIT: Some more info:
Basically, I need to be able to send data from a Universal Forwarder (UF), via a Heavy Forwarder (HWF) to two indexers. The data needs to be indexed under different indexes on each indexer. I have UF that forwards data to a HWF. The HWF forwarder does some transforms on the data to anonymize some components of it. It then forwards data to Indexer1 and Indexer2 using TCP ROUTING . I have been asked to send data to the bottles index on Indexer1 and to newindex on Indexer2 . I have no control over Indexer1 hence why I have set the index to be bottles on the UF and need the HWF to do the anonymizing of data as I don't have control over Indexer1 . Thus, I am trying to transform the data hitting Indexer2 to change the index name to newindex .
... View more