Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract index from filename in inputs.conf

lindsaylandry
Engager
‎12-27-2017 01:58 PM

We have a splunkforwarder DaemonSet in Kubernetes, which is forwarding node logs to our splunk server.

We want to take the STDOUT logs from each container, located in /var/log/containers/*.log, and index by the namespace specified in the filename. Is there a way to do this?

Filenames look as follows: 

/var/log/containers/<pod-name>_<namespace>_<some-hash>.log

We'd like to set the index in inputs.conf by extracting the middle namespace from these files. I know there is a host_regex that will dynamically set the host, but I haven't found an equivalent for index.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎12-27-2017 02:45 PM

transforms.conf:

[indexfromsource]
SOURCE_KEY = MetaData:Source
DEST_KEY = _MetaData:Index
REGEX = /var/log/containers/<pod-name>_(<namespace>)_<some-hash>\.log
FORMAT = $1

props.conf:

[<sourcetype name>]
TRANSFORMS-indexfromsource = indexfromsource

Note: the regex is not valid, as I don't know how <pod-name>, <namespace>, <some-hash> will be formatted.

View solution in original post

Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎12-27-2017 02:45 PM

transforms.conf:

[indexfromsource]
SOURCE_KEY = MetaData:Source
DEST_KEY = _MetaData:Index
REGEX = /var/log/containers/<pod-name>_(<namespace>)_<some-hash>\.log
FORMAT = $1

props.conf:

[<sourcetype name>]
TRANSFORMS-indexfromsource = indexfromsource

Note: the regex is not valid, as I don't know how <pod-name>, <namespace>, <some-hash> will be formatted.

Reply
Solved! Jump to solution

lindsaylandry
Engager
‎12-29-2017 07:37 AM

this is good for the server when it gets the data, but is there a way to change the index on the universal forwarder side?

0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎12-29-2017 07:52 AM

There is not. You would need to place this configuration on the first heavy forwarder or indexer that sees the data.

0 Karma
Reply
Solved! Jump to solution

gwalford
Path Finder
‎12-27-2017 02:32 PM

You probably want the solution found here:

https://answers.splunk.com/answers/145389/routing-data-to-specific-index-based-on-filename.html

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...