How to maintain data integrity in Splunk Index? I ...

sunnyb147 · ‎02-05-2019

How to maintain data integrity in Splunk Index? I mean to say is there any white-listing of servers that only specific servers are allowed to forward the data to specific index?

For example: I have two indexes index_test1 and index_test2 and have 4 servers (A,B,C,D) configured to forward the data. I want only servers A and B should send the data to index_test1 and B & C should send the data to index_test2.

Sample stanza:

[monitor:////var/log/test/app/test.log]
index=index_test1
sourcetype = test_Log
source = test_log_f1
disabled = 0

Reason why I am looking for it is, lets say if someone made a typo then the intended data will be pushed to incorrect/wrong index.

vishaltaneja070 · ‎02-05-2019

Hello @sunnyb147

I think something like below will work for you:
props.conf

    [host::A|B]
    TRANSFORMS-datafilter = route_to_correct_index

    [host::C|D]
    TRANSFORMS-datafilter = route_to_correct_index2

Transforms.conf

[route_to_correct_index]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = index_test1

[route_to_correct_index2]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = index_test2

vishaltaneja070 · ‎02-05-2019

Place this setting on HF or Indexer

How to maintain data integrity in Splunk Index? I mean to say is there any white-listing of servers that only specific servers are allowed to forward the data to specific index?

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...