Hello!
I have a number of transforms setting indexes on my forwarder in transforms.conf, like:
[syslog_change_innobackup_log_to_index_bar]
REGEX = ^<15\d>.*\sinnobackupex\s.*
FORMAT = bar
DEST_KEY = _MetaData:Index
WRITE_META = true
When I view these on a test system, which is both running as an indexer and has these transforms, the indexes are set correctly. Yay!
BUT!
In production, when I forward these logs with the new index, to the production indexer, the indexes are no longer set! They are all the original index as set in inputs.conf.
Am I missing something on the forwarder? Maybe having to do with outputs.conf?
Hi brainpreston,
look at this wiki page (Sorry docs team, I only have this handy 😉 ) http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F and you see that your settings must be done where the parsing of the events takes place. So either place your props.conf
and transforms.conf
on a heavy weight forwarder or the indexer.
Remember to restart Splunk to apply the configuration and it will only apply to new events.
Hope this helps ...
cheers, MuS
MuS, a few more architecture questions:
to answer the additional questions:
Hope this helps ...
yes thanks!
I'm reading the "deploy a heavy forwarder"
http://docs.splunk.com/Documentation/Splunk/6.0.7/Forwarding/Deployaheavyforwarder