I've searched Splunk Answers and Googledom with no luck, leaving me to possibly repeat the same question as others may have already done so...
Background --
We're setting up a brand new distributed environment to replace our current single-instance server. We'll eventually have two indexers (each with two indexes) and a layer of intermediate forwarders to accept data from the various equipment. Routing to an indexer (and eventually which index within) will be based solely on the "host" field value, which could be a hostname, a FQDN, or an IP address. (All of this is for requirements I've been handed, so I can't change this part of the architecture.)
Technical Setup and Question --
In my current test environment, I've got one indexer and an intermediate forwarder receiving from a test client. The intent is for anything from "splunk-if" or "splunk-if.domain.com" is to be routed into the index test2.
props.conf currently is:
[host::splunk-if*]
TRANSFORMS-splunk-if = TR_splunk-if
transforms.conf currently is:
[TR_splunk-if]
SOURCE_KEY = MetaData:Host
DEST_KEY = _MetaData:Index
REGEX = (.*)
FORMAT = test2
I've tried several different ways to set these up, based on what I've found in the Splunk documentation and Answers forum (with the latest formats shown above). Unfortunately, nothing has worked and everything for splunk-if is heading into the main index (which fails my configuration testing).
So my (obvious) questions are -- What am I doing wrong? What's the correct syntax? Will the same syntax work when I start setting up my intermediate forwarders' outputs/props/transforms .conf files?
Many Thanks!
... View more