- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Forward messages to different indexes based on the...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forward messages to different indexes based on the value of its field
Is it possible to forward messages to different indexes based on the value of message field ?
And which forwarder is the most appropriate (Universal or Heavy) ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes. Using props.conf and transforms.conf, you can achieve this. Please provide some sample data to perform regex matching. Otherwise, below is the basic structure of configuration settings for routing events.
Props.conf:
[your_custom_sourcetype]
TRANSFORMS-routing = routing_based_on_field_values
Transforms.conf:
[routing_based_on_field_values]
REGEX = <your_custom_regex>
DEST_KEY = _MetaData:Index
FORMAT = <alternate_index_name>
You can find more information in below links, let me know if this helps.
https://answers.splunk.com/answers/566448/route-specific-events-to-a-relative-index.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In case of having a thousands of different values , I want to create thousands of indexes. Does it mean I have to declared thousands of stanzas.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh, you want to route each event with different value to a different index? I thought, you want to look for specific value in the raw events and route all the events which have this specific value to different index(s).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I want to forward events with different value to a different indexes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you provide some sample events with values which you want to route.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
{"name":"value1"},
{"name":"value2"},
....
{"name":"value1000"}
In this case, I want to forward events to 1000 indexes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are all these events coming from 1 source/host? Also, why do you want to forward each event to each index.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, I am looking for solution of this problem.
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
