Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is the data not being filtered to another index?

Yaichael
Communicator
‎09-09-2016 11:36 AM

I have the following configuration for filtering the data coming from X udp port data input to an index that's being already created:

props.conf

[source::udp:X]
TRANSFORMS-new_index= route_index

transforms.conf

[route_index]
REGEX = ^"ip_add"$

DEST_KEY = _MetaData:Index

FORMAT = new_index

I know I'm almost there, but why it isn't working how it is supposed to?

Thanks!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Yaichael
Communicator
‎09-12-2016 12:56 PM

I changed the configuration as follows, and it worked:

props.conf

[host::host_ip]
TRANSFORMS-new_index = route_index

transforms.conf

[route_index]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = new_index

Thanks for the help everyone!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Yaichael
Communicator
‎09-12-2016 12:56 PM

I changed the configuration as follows, and it worked:

props.conf

[host::host_ip]
TRANSFORMS-new_index = route_index

transforms.conf

[route_index]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = new_index

Thanks for the help everyone!

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎09-12-2016 01:47 PM

That will apply to everything (matching on .). Your question suggested you wanted to only route events that start with an IP address/the string "ip_add". If matching everything is what you need, cool.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎09-12-2016 01:55 PM

It will match everything from host host_ip so this solution also only applies to one host; like the regex approach 🙂

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-09-2016 02:40 PM

Try escaping the double quotes on the REGEX with backslash. ALso. ensuer the configurations are there in the Heavy forwarder/Indexer which comes first and your restart SPlunk after the change.

0 Karma
Reply
Solved! Jump to solution

Yaichael
Communicator
‎09-12-2016 06:31 AM

In the REGEX, the ip address isn't surrounded by double quotes. I wrote it like that so the system could see my input.

Sorry for not commenting the details.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-12-2016 07:15 AM

Ok. I'm guessing you're using proper regex for ip address (\d+\.\d+\.\d+\.\d+) then just the literal in the
REGEX = ^ip_add$. So, does you event only contains the ip address, as you're mentioned that line 1 in your events starts and ends with ip address? That may have bee causing it to fail.

If your event starts with ip address, use this as filter REGEX = ^\d+\.\d+\.\d+\.\d+
If your event ending with ip address, use this as filter REGEX = \d+\.\d+\.\d+\.\d+$

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎09-09-2016 02:28 PM

Without seeing a sample event it will be tricky to validate that your RegEx will actually match incoming data.
Can you share a sample?

Your other settings look correct to me.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...