- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Rerouting to different index
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rerouting to different index
I can't seem to be able to reroute a sourcetype to a different index.
Here's props.conf:
[MySourceType]
# makes sure it goes to the proper index.
TRANSFORMS-8_AssignToIndex = setindex_MySourceType
And here is my transforms.conf
[setindex_MySourceType]
SOURCE_KEY = MetaData:Sourcetype
REGEX = (?i)^sourcetype::MySourceType
DEST_KEY = _MetaData:Index
FORMAT = my_custom_i
What am I missing?!?
Thank you,
Claudio
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi cmlombardo,
best thing would be to set the correct index at input level in the inputs.conf . But you can do this as well later on any Splunk server doing parsing. Maybe your regex does not match ; if you aplly this to one special sourcetype you can use something like this because you want to have anything from this sourcetype in the new index:
props.conf:
[MySourceType]
# makes sure it goes to the proper index.
TRANSFORMS-8_AssignToIndex = setindex_MySourceType
transforms.conf
[setindex_MySourceType]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = my_custom_i
As long as this is done at parsing level and the sourcetype matches exactly, you will get any new incoming events in the index=my_custom_i
Hope that helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mhhh... I tried that already and for some reasons it's still going to the main index.
It's odd.
Hopefully this should not have anything to do with the fact that I am experimenting with the free splunk installation I have before sending it to the production one...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
does your custom index exists ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, and I verified it has the same name (including the case, even though I am not sure it would make a difference).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh my bad sorry .... try one of these settings:
[setindex_MySourceType]
REGEX = .
FORMAT = my_custom_i
DEST_KEY = _MetaData:Index
WRITE_META = true
or
[setindex_MySourceType]
REGEX = .
FORMAT = index::my_custom_i
DEST_KEY = _MetaData:Index
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
