How to route a sourcetype to a specific index?

cmlombardo · ‎09-24-2014

Hi everyone.

Obviously I am missing something.
I would like this specific sourcetype to be directed to a specific index, but I can't make it work.
Here's what I have.

INPUTS.CONF

[monitor://C:\logs]
disabled = 0
sourcetype = dirsync
recursive = false

PROPS.CONF
[dirsync]
TRANSFORMS-8_AssignToIndex = dirsync_setindex_default


TRANSFORMS.CONF
[dirsync_setindex_default]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = dirsync

I have the index "dirsync" on Splunk, of course.

All the logs are currently going to the main index. Sigh....

Thank you!

Claudio

Runals · ‎09-24-2014

Other than adjusting your inputs your approach seems correct. The questions I would ask is are those props and transforms on the indexer(s) and have they been restarted? That is still one area where it often takes a reboot to kick in. We've also run into issues in the past where we've had to have the regex 'see' something. You might try adjusting that to something as basic as ^(.)

icyfeverr · ‎09-24-2014

In the inputs.conf you can add the following:

[monitor://C:logs]
disabled = 0
sourcetype = dirsync
recursive = false
index = my_new_index

see http://docs.splunk.com/Documentation/Splunk/6.1.3/admin/inputsconf for additional documentation.

How to route a sourcetype to a specific index?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life