Solved: How do I route data based on the Index field

mzorzi · ‎12-12-2016

Assuming I have a forwarder with inputs.conf:

[monitor:///var/log/notcritical]
index=datacritical

[monitor:///var/log/critical]
index=datanoncritical

How can I route the events from the two files into two different Splunk Indexers based purely on the value of Indexer field?

mzorzi · ‎12-12-2016

You should be able to forward based on value in the index field with this transforms.conf.

[send_to_critical]
SOURCE_KEY = _MetaData:Index
REGEX = datacritical
DEST_KEY = _TCP_ROUTING
FORMAT = critical

[send_to_noncritical]
SOURCE_KEY = _MetaData:Index
REGEX = datanoncritical
DEST_KEY = _TCP_ROUTING
FORMAT = noncritical

You the need to create a props.conf and make sure these two rules are applied to each event. You will then also need an outputs.conf with the two different tcpout groups, critical and noncritical.

View solution in original post

mzorzi · ‎12-12-2016

You should be able to forward based on value in the index field with this transforms.conf.

[send_to_critical]
SOURCE_KEY = _MetaData:Index
REGEX = datacritical
DEST_KEY = _TCP_ROUTING
FORMAT = critical

[send_to_noncritical]
SOURCE_KEY = _MetaData:Index
REGEX = datanoncritical
DEST_KEY = _TCP_ROUTING
FORMAT = noncritical

You the need to create a props.conf and make sure these two rules are applied to each event. You will then also need an outputs.conf with the two different tcpout groups, critical and noncritical.

How do I route data based on the Index field

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases