Solved: How do I redirect AWS events to different indexes ...

BlueSocket · ‎03-12-2018

Hi,

I have a set of AWS inputs and I need to redirect events depending upon the names of the instances (which are in the events).
I have set up a transforms.conf to look like this:

[index_env1]
REGEX = env1
DEST_KEY = _MetaData:Index
FORMAT = env1

[index_env2]
REGEX = env2
DEST_KEY = _MetaData:Index
FORMAT = env2

In the inputs.conf, I have added a line:

TRANSFORMS-index_cloudwatch=index_env1,index_env2

When I restart Splunk, i get:

Invalid key in stanza [aws_cloudwatch://System CloudWatch_*******] in /opt/splunk/etc/apps/Splunk_TA_aws/local/inputs.conf, line 12: TRANSFORMS-index_cloudwatch (value: index_env1,index_env2)

I can't see what I am doing wrong, but is there any reason why I can't use this syntax to redirect the events to different indexes?
Is redirection of indexes not supported by AWS inputs? What else can I do?

p_gurav · ‎03-12-2018

You have to add this line in props.conf not in inputs.conf.

<sourcetype>
TRANSFORMS-index_cloudwatch=index_env1,index_env2

Transforms.conf seems ok.

View solution in original post

p_gurav · ‎03-12-2018

You have to add this line in props.conf not in inputs.conf.

<sourcetype>
TRANSFORMS-index_cloudwatch=index_env1,index_env2

Transforms.conf seems ok.

BlueSocket · ‎03-13-2018

Ooooh. I feel a proper fool, now!

How do I redirect AWS events to different indexes by the content of the events in the AWS TA?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio