Getting Data In

Heavy forwarder - routing to different indexes depending on field value

Clovisa
Path Finder

Hi everyone !

I'm new to Splunk and I'm trying to see what can be done with it. I was wondering if it was possible, with a heavy forwarder, to forward data to different indexes depending on the value of a specific field?

For example, if I have the indexes red_colored_vegetables and green_colored_vegetables, and the following data :

| Id | Vegetable    | Color |
| 1  | Tomato       | Red   |
| 2  | Leek         | Green |
| 3  | Salad        | Green |

I want that 1 is forwarded to the index red_colored_vegetables and that 2 and 3 are forwarded to the index green_colored_vegetables.
Is it feasible?

Thanks !

0 Karma
1 Solution

hortonew
Builder

I think this should get you close to what you want:

inputs.conf
[monitor://...]
index=vegetables
sourcetype=vegetables
disabled=false

transforms.conf
[rewrite_red]
DEST_KEY =_MetaData:Index
REGEX = (?i)red
FORMAT = red_colored_vegetables

[rewrite_green]
DEST_KEY =_MetaData:Index
REGEX = (?i)green
FORMAT = green_colored_vegetables

props.conf
[vegetables]
TRANSFORMS-veggieindex = rewrite_red, rewrite_green

View solution in original post

hortonew
Builder

I think this should get you close to what you want:

inputs.conf
[monitor://...]
index=vegetables
sourcetype=vegetables
disabled=false

transforms.conf
[rewrite_red]
DEST_KEY =_MetaData:Index
REGEX = (?i)red
FORMAT = red_colored_vegetables

[rewrite_green]
DEST_KEY =_MetaData:Index
REGEX = (?i)green
FORMAT = green_colored_vegetables

props.conf
[vegetables]
TRANSFORMS-veggieindex = rewrite_red, rewrite_green

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...