Solved: Re: Reroute data that is marked for an index?

the_wolverine · ‎09-27-2010

I have syslog-ng data coming from LWFs that have been earmarked for indexA. I want to intercept these events and reroute them to another index called indexB. It doesn't seem to be working. Am I missing something basic?

The sourcetype is syslog so in props I have:

[syslog]
TRANSFORMS-route = route2indexB

transforms.conf:

[route2indexB]
REGEX=(192.168.1.12)
DEST_KEY = _MetaData:Index
FORMAT = indexB

I've tried multiple iterations of this configuration including using source and host in props.conf. I can't seem to get the data to go to indexB.

the_wolverine · ‎09-29-2010

Turns out the LWF was not a LWF. It was a heavyweight forwarder 🙂

Thanks to Raitz for figuring that out. He spotted the _linebreaker in the tcpdump output which is an indication of cooked data.

I had the system owner enable LWF from CLI and all is working as expected.

View solution in original post

the_wolverine · ‎09-29-2010

Turns out the LWF was not a LWF. It was a heavyweight forwarder 🙂

Thanks to Raitz for figuring that out. He spotted the _linebreaker in the tcpdump output which is an indication of cooked data.

I had the system owner enable LWF from CLI and all is working as expected.

gkanapathy · ‎09-30-2010

Wow. Would have been easier if you'd sent a Splunk diag.

the_wolverine · ‎09-29-2010

Here's the tcpdump command that was run at the indexer: /usr/sbin/tcpdump -A -s 1512 host and port 9997

Genti · ‎09-28-2010

Continuing my comment:
Telling the LWF where to send the data should be cheaper (resourcewise) and quite easy. here's an answer with a similar idea: http://answers.splunk.com/questions/5134/can-i-forward-different-data-inputs-to-different-splunk-ind...

the_wolverine · ‎09-30-2010

I'm not here to babysit forwarders 😉 Not Ghetto.

gkanapathy · ‎09-30-2010

Ghetto. If you had control over the forwarder configs, maybe you could actually be sure it was a LWF.

the_wolverine · ‎09-29-2010

We have data from this host that is going to indexA. I really want to be able to keep my hands off the LWF configuration so I don't have to set those up.

Genti · ‎09-28-2010

instead of doing it with props/transforms, why do you not tell the LWF to send to indexB? Rerouting with props/transforms even if possible should cause slowness in indexing...

the_wolverine · ‎09-28-2010

Simeon, how am I doing IT wrong?

the_wolverine · ‎09-28-2010

Har Har Har, guys.

Simeon · ‎09-28-2010

You are doing IT wrong

gkanapathy · ‎09-28-2010

please provide a complete splunk diag

Reroute data that is marked for an index?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...