Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can forwarder read first few lines, then split logs into different indexes?

cpraznowski_spl
Splunk Employee
Splunk Employee
‎03-15-2016 10:14 AM

Folks…gotta question here:

I have two websites flowing access_combined into the same directory.

Each site needs to go to its own Splunk index.

There is nothing in the filename that will identify the site.

Can the forwarder read the first few lines the file and then send the file the appropriate directory?

Going to post on Answers as well.

Clustered WebSphere server serving up many sites at once, logging centrally.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-15-2016 10:29 AM

If there are identifying features in each event instead of the path then you could use transforms.conf routing to set the index.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-15-2016 10:29 AM

If there are identifying features in each event instead of the path then you could use transforms.conf routing to set the index.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-16-2016 12:53 PM

You'd need a heavy forwarder if you want to perform this at the source, however your indexers can do this too so you can work with a universal forwarder.

I don't quite understand your second point... are you asking where you need to point to your transforms.conf entry? That'd be in props.conf under a sourcetype, source, or host stanza. In your case I'd lean towards source because you probably don't want to apply the transformation to all apache web logs or all logs coming from the entire host.

0 Karma
Reply
Solved! Jump to solution

cpraznowski_spl
Splunk Employee
Splunk Employee
‎03-16-2016 07:59 PM

Agreed...following this doc:
http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad
This is a great feature, in my case, all logging is dumped to single directory from multiple sites, we'll need to pull the eggs out the basket and send to the respective indexes.
Thanks again!

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-17-2016 11:11 AM

Don't forget to mark the answer as accepted if your issue has been resolved.

0 Karma
Reply
Solved! Jump to solution

cpraznowski_spl
Splunk Employee
Splunk Employee
‎03-16-2016 07:25 AM

Thank you! Is it true that'd I'd need a heavy forwarder to do this & when transform.conf is utilized and source type is set to access_combined, that Splunk will need to re-instructruted to understand that the source is an apache web log? If the second statement is so, is that simply a setting in props.conf?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...