Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to route an overrided sourcetype to other index ?

Starlette
Contributor
‎02-28-2011 05:59 PM

I have overrided some souretypes out of a huge syslog feed ( Kiwisyslog) Now I want to route specific sourcetypes to other indexes,,is this possible?

    props.conf

    [syslog]
    TRANSFORMS-sourcetype_and_host_override = asa_hostoverride, cisco_asa, cisco_fwsm
    SHOULD_LINEMERGE = false

    [cisco_firewall]
    TRANSFORMS-index = route_2_other_index


    transforms.conf

    [asa_hostoverride]
    DEST_KEY = MetaData:Host
    REGEX = \S+\t\S+\s(.*)\t+
    FORMAT = host::$1

    [cisco_asa]
    DEST_KEY = MetaData:Sourcetype
    REGEX = (%ASA)
    FORMAT = sourcetype::cisco_firewall

    [cisco_fwsm]
    DEST_KEY = MetaData:Sourcetype
    REGEX = (%FWSM)
    FORMAT = sourcetype::cisco_firewall

    [route_2_other_index]
    REGEX = (.)
    DEST_KEY = _MetaData:Index
    FORMAT other_index

Thanks!

Reply

Starlette
Contributor
‎02-28-2011 07:17 PM

As Gkanapathy mentioned : I took the whole bunch onder the same master sourcetype : below for a single entry ( [cisco_asa_2_index] ) ,,,but this works for all my sourcetypes in syslog!

[syslog]

TRANSFORMS-sourcetype_and_host_override = asa_hostoverride, cisco_asa, cisco_fwsm, named, dhcp, cisco_asa_2_index
SHOULD_LINEMERGE = false


transforms.conf

[asa_hostoverride]
DEST_KEY = MetaData:Host
REGEX = \S+\t\S+\s(.*)\t+
FORMAT = host::$1

[cisco_asa]
DEST_KEY = MetaData:Sourcetype
REGEX = (%ASA)
FORMAT = sourcetype::cisco_firewall

[cisco_fwsm]
DEST_KEY = MetaData:Sourcetype
REGEX = (%FWSM)
FORMAT = sourcetype::cisco_firewall


[cisco_asa_2_index]
DEST_KEY = _MetaData:Index
REGEX = (%ASA)
FORMAT = other_index
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎02-28-2011 06:03 PM

Not the way you have done it. Transforms only happen in a single pass, so the [cisco_firewall] rule in props.conf will not apply, since the events have not had their sourcetype set to cisco_firewall yet. You would have to add another rule on [syslog] to match and set the index.

Reply

Starlette
Contributor
‎02-28-2011 06:09 PM

so how do I add the cisco_firewall in other index?
Not sure what you mean though

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...