Re: heavy forwarder to route base on _raw values

gooza · ‎02-23-2012

I'm trying to use the heavy forwarder to route data to different indexes based on values in _raw , is this possible ?

the configuration files are:

inputs.conf:

[tcp://9997]

sourcetype = FromFooandBarbysinglehost

props.conf:

[FromFooandBarbysinglehost]

BREAK_ONLY_BEFORE = ^

TRANSFORMS-routing = FromFoo,FromBar

transforms.conf:

[FromFoo]

REGEX = (?i) From|.+?Foo

DEST_KEY = _TCP_ROUTING

FORMAT = outtoFoo

[FromBar]

REGEX = (?i) From|.+?Bar

DEST_KEY = _TCP_ROUTING

FORMAT = outtoBar

outputs.conf:

[tcpout:outtoFoo]

server = 10.10.10.10:1111

sendCookedData = false

[tcpout:outtoBar]

server = 10.10.10.10:2222

sendCookedData = false

in the indexer 10.10.10.10 the TCP port 1111 is indexed to foo index , and 2222 is indexed to Bar index)

me problem is that I see both foo data and bar data in both indexes , it is like there is no termination to the transforms process and both are sent to both ports.

I double checked my REGEX in the search bar in splunk and it does show only the relevant data

what am I missing ?

Jason · ‎04-16-2012

_TCP_ROUTING is used to send data to another indexer. If the data is already at the indexer you want, just use the _MetaData:Index key to change the index for that event.

[FromFoo]
REGEX = (?i) From|.+?Foo
DEST_KEY = _MetaData:Index
FORMAT = foo_index

[FromBar]
REGEX = (?i) From|.+?Bar
DEST_KEY = _MetaData:Index
FORMAT = bar_index

gooza · ‎02-23-2012

no , the tcpout redirect the data to different TCP ports on the indexer and each port has its own source type and index

gkanapathy · ‎02-23-2012

when your data arrives in the indexers, what is the sourcetype? Is it FromFooandBarbysinglehost?

heavy forwarder to route base on _raw values

inputs.conf:

props.conf:

transforms.conf:

outputs.conf:

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases