Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to separate hosts/other fields into other data indexes?

bigfatyeastroll
Path Finder
‎01-10-2020 06:23 AM

I've got several data indexes (only one server) already that are separated by forwarders or listener ports. However, I have several devices that can only send to the default syslog port. How can I "pull out" events and place them into different indexes?

Is there a way in the Splunk Enterprise GUI to do this?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-10-2020 10:39 PM

Hi @bigfatyeastroll,
as @jscraig2006 said once indexed it isn't possible to change index!
I suggest you rethink your data structure: Splunk isn't a database where you separate data into tables, the correct way to identify a data flow is not the index but the sourcetype, to which all knowledge objects normally refer ( fields, tags, eventtypes).
Splunk Best Practices say that there are two / three reasons to put the data in different indices:

  • retention,
  • access rights;

in other words, you should put in the same index data with the same retention period and the same access rights, not because they are related to different things.
It is also advisable not to put data with very different volumes in the same index: e.g. I would never combine data from a stream with few events per day with data from a stream with millions of events per day.
It is also not a good thing to have too many indices because they are more complex to manage.

To return to your request, it's not possible to change the index to a data after it has been indexed, but it is possible to do it first: you need to find a way to identify it (e.g. the host of origin or a regex that identifies it) and then submit it to a transformation; for more information look at https://docs.splunk.com/Documentation/SplunkCloud/8.0.1/Data/Advancedsourcetypeoverrides where they explain how to override a main field.

To override the index you have to do something like this on your Indexers or (when present) on your Heavy Forwarders:

on transforms.conf 

 [overrideindex]
 DEST_KEY =_MetaData:Index
 REGEX = your_regex
 FORMAT = my_new_index

on props.conf 

 [mysourcetype]
 TRANSFORMS-index = overrideindex

Ciao.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-10-2020 10:39 PM

Hi @bigfatyeastroll,
as @jscraig2006 said once indexed it isn't possible to change index!
I suggest you rethink your data structure: Splunk isn't a database where you separate data into tables, the correct way to identify a data flow is not the index but the sourcetype, to which all knowledge objects normally refer ( fields, tags, eventtypes).
Splunk Best Practices say that there are two / three reasons to put the data in different indices:

  • retention,
  • access rights;

in other words, you should put in the same index data with the same retention period and the same access rights, not because they are related to different things.
It is also advisable not to put data with very different volumes in the same index: e.g. I would never combine data from a stream with few events per day with data from a stream with millions of events per day.
It is also not a good thing to have too many indices because they are more complex to manage.

To return to your request, it's not possible to change the index to a data after it has been indexed, but it is possible to do it first: you need to find a way to identify it (e.g. the host of origin or a regex that identifies it) and then submit it to a transformation; for more information look at https://docs.splunk.com/Documentation/SplunkCloud/8.0.1/Data/Advancedsourcetypeoverrides where they explain how to override a main field.

To override the index you have to do something like this on your Indexers or (when present) on your Heavy Forwarders:

on transforms.conf 

 [overrideindex]
 DEST_KEY =_MetaData:Index
 REGEX = your_regex
 FORMAT = my_new_index

on props.conf 

 [mysourcetype]
 TRANSFORMS-index = overrideindex

Ciao.
Giuseppe

Reply
Solved! Jump to solution

bigfatyeastroll
Path Finder
‎01-13-2020 07:02 AM

Great, thanks!

Those 2 reasons you gave are the reasons I am separating them out. One group has multiple devices and some are only able to send to default syslog (which other groups have devices like this as well).

Since Splunk is not my main job role, I was hoping there would be an "easy" GUI way.

0 Karma
Reply
Solved! Jump to solution

jscraig2006
Communicator
‎01-10-2020 04:37 PM

You can't. Once the data is indexed, you can't move the data to another index. Why not stand up a syslog server with a UF? Then you can send your syslog data to different directories based upon host and then send them to the peer based upon what the data type is. Network, firewall etc.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...