Solved: Re: How and where do I configure props and transfo...

allan_newton · ‎09-14-2015

Hi,

I have 4 forwarders, 4 search heads, and 2 forwarders in my Splunk cluster. Now one of the forwarders is configured to read data from UDP port 514. The data comes in to the forwarder and it then is forwarded to the indexers.

Now I need to apply configurations in transforms.conf and props.conf to write few events into a separate index by host. Where do I put those configurations? Should I do the changes in the forwarder or the indexer?

Thanks.

MuS · ‎09-14-2015

Hi allan_newton,

try something like this,un-tested and out of my head:

props.conf

[source::udp:514]
TRANSFORMS-001_changemetadata = redirect_to_index_foo

transforms.conf

[redirect_to_index_foo]
SOURCE_KEY = MetaData:Host
REGEX = ^host::(10.10.10.d+)$
FORMAT = foo
DEST_KEY = _MetaData:Index

Don't forget to restart the forwarder after you changed the props and transforms.
Hope this helps ...

cheers, MuS

View solution in original post

MuS · ‎09-14-2015

Hi allan_newton,

try something like this,un-tested and out of my head:

props.conf

[source::udp:514]
TRANSFORMS-001_changemetadata = redirect_to_index_foo

transforms.conf

[redirect_to_index_foo]
SOURCE_KEY = MetaData:Host
REGEX = ^host::(10.10.10.d+)$
FORMAT = foo
DEST_KEY = _MetaData:Index

Don't forget to restart the forwarder after you changed the props and transforms.
Hope this helps ...

cheers, MuS

allan_newton · ‎09-14-2015

Instead of ^host::(10.10.10.d+)$ can i use host::(10.10.10.32) ?

How and where do I configure props and transforms to forward a few events into a particular index by host?

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability