My splunk inviroment
splunk 5.0 and clustered config whth master node 1EA, header 1EA, peer node 2EA, and LB_forwarder 1EA
(Working Good)
in Forwarder udp 9005 port open and incomming log to
index=main source=udp:9005 , sourcetype=udp:9005
To put into a particular index (index routing) in a cluster environment.
I Already try put it Header and Indexer1,2 ( And then restart cluster index 1,2 )
but Still comes to the main index..
props.conf >>>>>
[host::172.20.99.62] and try [udp:9005]
TRANSFORMS-udp_detail_job = detail_job_index, detail_job_source, detail_job_sourcetype
transforms.conf >>>>>>>
[detail_job_index]
WRITE_META=true
DEST_KEY = _MetaData:Index
REGEX = (^source=detail_job)
FORMAT = detail_job
[detail_job_source]
WRITE_META=true
DEST_KEY = MetaData:Source
REGEX = (^source=detail_job)
FORMAT = source::detail_job
[detail_job_sourcetype]
WRITE_META=true
DEST_KEY = MetaData:Sourcetype
REGEX = (^source=detail_job)
FORMAT = sourcetype::detail_job
... View more