I made the following edits in the to the local\props and transforms files in order to redirect all events coming from the Splunk UF on the host name fofrd to the index name tmg:
[host::fofrd]
TRANSFORMS-force_index_for_fofrd = force_index_tmg
[force_index_tmg]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = tmg
After the edits I restared splunkd and the SUF service on the other host. But I'm not getting what I expected. While I do get SOME events routed to the new TMG index, thy all seem to be related to the SplunkUF service itself. Other events, the ones I care about, still get forwarded to the defauel index.
Thanks for your suggestion. Actually the host field in the events in the TMG index is in fact polulated with "fofrd". It looks now like the original edits I made were correct after all. I beleive I did not see any events becuase there were no events. But when I came in this AM to consider implementing your suggestion, I noticed plenty of events have been collected, without making any new changes.
Thanks for your suggestion. Actually the host field in the events in the TMG index is in fact polulated with "fofrd". It looks now like the original edits I made were correct after all. I beleive I did not see any events becuase there were no events. But when I came in this AM to consider implementing your suggestion, I noticed plenty of events have been collected, without making any new changes.
The reason for this behavior is that the field host
of those events is not fofrd
. fofrd
is the host of events that originate from the UF itself. What I suggest you to do in this case is to use either the host
of the events or source::
(instead of host::
) in your props and list all sources from that UF. Ex:
props.conf
[source::/my/path/being/monitored]
TRANSFORMS-force_index_for_fofrd = force_index_tmg
Hope this helps.
> please upvote and accept answer if you find it useful - thanks!