How to route a sourcetype to a specific index?

cmlombardo · ‎09-24-2014

Hi everyone.

Obviously I am missing something.
I would like this specific sourcetype to be directed to a specific index, but I can't make it work.
Here's what I have.

INPUTS.CONF

[monitor://C:\logs]
disabled = 0
sourcetype = dirsync
recursive = false

PROPS.CONF
[dirsync]
TRANSFORMS-8_AssignToIndex = dirsync_setindex_default


TRANSFORMS.CONF
[dirsync_setindex_default]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = dirsync

I have the index "dirsync" on Splunk, of course.

All the logs are currently going to the main index. Sigh....

Thank you!

Claudio

Runals · ‎09-24-2014

Other than adjusting your inputs your approach seems correct. The questions I would ask is are those props and transforms on the indexer(s) and have they been restarted? That is still one area where it often takes a reboot to kick in. We've also run into issues in the past where we've had to have the regex 'see' something. You might try adjusting that to something as basic as ^(.)

icyfeverr · ‎09-24-2014

In the inputs.conf you can add the following:

[monitor://C:logs]
disabled = 0
sourcetype = dirsync
recursive = false
index = my_new_index

see http://docs.splunk.com/Documentation/Splunk/6.1.3/admin/inputsconf for additional documentation.

How to route a sourcetype to a specific index?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...