Re: How to route data from forwarders to separate ...

bkumarm · ‎02-19-2016

I have log data from multiple sources coming into a single TCP port in JSON format as below:

<01>- hostname {"name":"DefaultProfile","version":"1.0","isonjkpFormat":"yyyy-MM-dd'T'HH:mm:ss.SSSZ","type":"Event","category":"RT_FLOW_SESSION_CREATE_LS" [helps@2222.2.2.2.2.22 localis-compute-zxcv=\"ABC1\" application=\"UNKNOWN\" MKUNJI-application=\"UNKNOWN\" mnbhyujgt=\"UNKNOWN\"]","bgasbnJuh":"1","mnbIPOUN":"other","absIPPOL":"other","qweTgvfrt":"minj-bag6-7856ab-Hnqasui","abcPecpokk":"och-00-145-987.Net_11_4_5_6","mnbJhbpoiu":"other","source":"My application1","nhjRkyhcfBhytf":"MKI-PLO-ASW","thuHyrtfcQhbnjuytfv":"192.168.1.11"}

From this input, I want to forward the data to separate indexes based on the values for the source field.

Example: if source: application1, then send to index1, and so on.
Does the Splunk forwarder have this capability to extract a field and segregate the events to separate indexes on the indexer?

javiergn · ‎02-19-2016

Short answer
Universal Forwards can't inspect data. Heavy Forwarders (and Indexers) can.

Long answer
Use regex to parse the values of your JSON events and then redirect (override) accordingly to the right index.
See this:

https://answers.splunk.com/answers/6623/conditional-index-and-sourcetype-name-inputs-conf-by-file-na...
https://answers.splunk.com/answers/246672/how-can-i-override-an-index-name-based-on-sourcety.html
http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides

How to route data from forwarders to separate indexes based on the source field when data is coming from single TCP port?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases