Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Routing not working as expected

mikefoti
Communicator
‎11-23-2011 12:24 PM

I made the following edits in the to the local\props and transforms files in order to redirect all events coming from the Splunk UF on the host name fofrd to the index name tmg:

props.conf

[host::fofrd]
TRANSFORMS-force_index_for_fofrd = force_index_tmg

transforms.conf

[force_index_tmg]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = tmg

After the edits I restared splunkd and the SUF service on the other host. But I'm not getting what I expected. While I do get SOME events routed to the new TMG index, thy all seem to be related to the SplunkUF service itself. Other events, the ones I care about, still get forwarded to the defauel index.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mikefoti
Communicator
‎11-25-2011 06:11 AM

Thanks for your suggestion. Actually the host field in the events in the TMG index is in fact polulated with "fofrd". It looks now like the original edits I made were correct after all. I beleive I did not see any events becuase there were no events. But when I came in this AM to consider implementing your suggestion, I noticed plenty of events have been collected, without making any new changes.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mikefoti
Communicator
‎11-25-2011 06:11 AM

Thanks for your suggestion. Actually the host field in the events in the TMG index is in fact polulated with "fofrd". It looks now like the original edits I made were correct after all. I beleive I did not see any events becuase there were no events. But when I came in this AM to consider implementing your suggestion, I noticed plenty of events have been collected, without making any new changes.

0 Karma
Reply
Solved! Jump to solution

_d_
Splunk Employee
Splunk Employee
‎11-23-2011 12:37 PM

The reason for this behavior is that the field host of those events is not fofrd. fofrd is the host of events that originate from the UF itself. What I suggest you to do in this case is to use either the host of the events or source:: (instead of host::) in your props and list all sources from that UF. Ex:

props.conf
[source::/my/path/being/monitored]
TRANSFORMS-force_index_for_fofrd = force_index_tmg

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...