Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Routing and transforming to two different indexers?

ldnail_at_TI
Path Finder
‎08-18-2021 12:13 PM

Today I have a custom sourcetype = custom:access_combined this is routed in its entirety at the heavy forwarder to two different index clusters.

ldnail_at_TI_0-1629313184782.png

Indexer1 is the dev team, indexer2 is ops.

So the problem I'm running into is that I'd like to:
- route a full copy to indexer1
- for indexer2, run through transforms and drop a bunch of noise (like 75%) ops doesn't need to nullqueue

ldnail_at_TI_1-1629313536940.png

Any ideas on how to approach this? 

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

shivanshu1593
Builder
‎08-18-2021 12:53 PM

Like this:

On your HF, go to props.conf or create one in the directory $SPLUNK_HOME/etc/system/local or $SPLUNK_HOME/etc/apps/<app_name>/local and put the following:

[custom:access_combined]
TRANSFORMS-routing=devRouting
TRANSFORMS-routing1=opsRouting

 In the same path, edit or create transforms.conf and put the following:

[devRouting]
REGEX= .
DEST_KEY=_TCP_ROUTING
FORMAT=devGroup

[opsRouting]
REGEX= <put the regex to select & identify the data that you want to send to the ops indexer>
DEST_KEY=_TCP_ROUTING
FORMAT=opsGroup

 

Then in outputs.conf, append the following changes:

 

[tcpout:devGroup]
server=<ip of dev indexer>:<port number>

[tcpout:opsGroup]
server=<ip of ops indexer>:<port number>

 

Restart splunkd and check the results. If the changes aren't reflecting, please check the following:

1. Your regex is correct.

2. Entries about the IP and port are correct 

3. You or the team has the rights to access data.

4. Run btool and see what configurations are loaded for the app and sourcetype, for which we made the changes.

 

Hope this helps. Let me know if it works.

Thanks,

S

****If it helped, please upvote and accept it as a solution. It helps other Splunkers to find the solutions easily****

 

 

 

 

 

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ldnail_at_TI
Path Finder
‎08-18-2021 02:24 PM

I didn't see that in the forest of trees... thanks.

0 Karma
Reply
Solved! Jump to solution
Solution

shivanshu1593
Builder
‎08-18-2021 12:53 PM

Like this:

On your HF, go to props.conf or create one in the directory $SPLUNK_HOME/etc/system/local or $SPLUNK_HOME/etc/apps/<app_name>/local and put the following:

[custom:access_combined]
TRANSFORMS-routing=devRouting
TRANSFORMS-routing1=opsRouting

 In the same path, edit or create transforms.conf and put the following:

[devRouting]
REGEX= .
DEST_KEY=_TCP_ROUTING
FORMAT=devGroup

[opsRouting]
REGEX= <put the regex to select & identify the data that you want to send to the ops indexer>
DEST_KEY=_TCP_ROUTING
FORMAT=opsGroup

 

Then in outputs.conf, append the following changes:

 

[tcpout:devGroup]
server=<ip of dev indexer>:<port number>

[tcpout:opsGroup]
server=<ip of ops indexer>:<port number>

 

Restart splunkd and check the results. If the changes aren't reflecting, please check the following:

1. Your regex is correct.

2. Entries about the IP and port are correct 

3. You or the team has the rights to access data.

4. Run btool and see what configurations are loaded for the app and sourcetype, for which we made the changes.

 

Hope this helps. Let me know if it works.

Thanks,

S

****If it helped, please upvote and accept it as a solution. It helps other Splunkers to find the solutions easily****

 

 

 

 

 

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply
Solved! Jump to solution

iguardia
Loves-to-Learn Lots
‎07-20-2023 08:44 AM

in the same situation, how can I change de index for each remote indexer?

For example,  ops_index for ops and dev_index for dev, as follow:

props.conf:

[custom:access_combined]
TRANSFORMS-routing=devRouting,devIndex
TRANSFORMS-routing1=opsRouting,opsIndex

transforms:

[devRouting]
REGEX= .
DEST_KEY=_TCP_ROUTING
FORMAT=devGroup

[opsRouting]
REGEX= <put the regex to select & identify the data that you want to send to the ops indexer>
DEST_KEY=_TCP_ROUTING
FORMAT=opsGroup

[devIndex]
REGEX=.
DEST_KEY=_MetaData:Index
FORMAT=dev_index

[opsIndex]
REGEX=.
DEST_KEY=_MetaData:Index
FORMAT=ops_index

is right?

 

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...