Getting Data In

Distribute data from one source to different indexes

kenchisho
Path Finder

Hi guys.

I am having some trouble routing data from one source to different indexes.

Here is my setup

inputs.conf

[monitor://C:\Program Files\Splunk\etc\apps\idsplunk\logs\test.log]
disabled = false
followTail = 0
index = main
sourcetype = test

transforms.conf

[reroute_index_1]
REGEX = 192.168.210.10
DEST_KEY = _MetaData:Index
FORMAT = testindex1

[reroute_index_2]
REGEX = 192.168.200.10
DEST_KEY = _MetaData:Index
FORMAT = testindex2

props.conf

[test]
TRANSFORMS-index1=reroute_index_1
TRANSFORMS-index2=reroute_index_2

At the moment I am testing this out so there are only 2 indexes... In production there should be 20+ indexes where all the data is coming in from one source (syslogNG).

With this setup my data does not get indexed at all... what am I missing?

Tags (1)
0 Karma

kenchisho
Path Finder

The setup above works perfectly... It kicked in after splunk was restarted a few times...

0 Karma

kenchisho
Path Finder

Yes they exist... this is now working... for some reason the config kicked in after i restarted splunk a few times... wierd

0 Karma

sdwilkerson
Contributor

Do the indexes "testindex1" and "testindex2" exists? Did you create them either through the UI, cli, or by editing indexes.conf?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...