props.conf

frankwayne · ‎10-13-2016

The modular input only lists indexes on the local Splunk instance. The heavy forwarder where the add-on is installed sends events to a cluster. How do I specify an index that is not one of the local indexes, i.e. whatever index name I want?

bawood · ‎10-13-2016

You can create the index on the heavyforwarder so the add-on sees it as an option, as long as the heavyforwarder is set to send everything to your indexers, the data will be forwarded and not indexed locally.

View solution in original post

bawood · ‎10-13-2016

You can create the index on the heavyforwarder so the add-on sees it as an option, as long as the heavyforwarder is set to send everything to your indexers, the data will be forwarded and not indexed locally.

frankwayne · ‎10-13-2016

That solution occurred to me, but I don't like it. It would be better to have a text box instead of a drop down for the index name.

frankwayne · ‎10-13-2016

My temporary solution is to rewrite the index metadata. Thanks for the app!

props.conf

[duo:administrator]
TRANSFORMS-duo_administrator = duo_set_index
[duo:authentication]
TRANSFORMS-duo_authentication = duo_set_index
[duo:info_summary]
TRANSFORMS-duo_info_summary = duo_set_index
[duo:telephony]
TRANSFORMS-duo_telephony = duo_set_index

transforms.conf

[duo_set_index]
REGEX = .+
DEST_KEY = _MetaData:Index
FORMAT = some_index

DUO Add-on: How do I specify an index that is not on the local instance

props.conf

transforms.conf

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes