Refine your search:

Sending to different index based on host from syslog stream

1

Ok, so I'm not sure what I'm doing wrong here. I need to send data coming in on the standard syslog UDP 514 stream based on hostname (Most of it going to main, the rest going to a custom index).

i created a new props.conf in etc/system/local with just:

[host::10.10.10.*]
TRANSFORM-test = route_to_test

And a new transforms.conf with just:

[route_to_test]
REGEX = .*
DEST_KEY = _MetaData:Index
FORMAT = test

My intention was to route anything coming in from 10.10.10.* to an index named test, however everything is still going to main.

What am I missing?

asked 22 Sep '10, 13:40

dkoski's gravatar image

dkoski
112
accept rate: 0%

edited 22 Sep '10, 13:43

gkanapathy's gravatar image

gkanapathy ♦
32.4k4827
4 Answers:
oldestnewestmost voted
3

This is how you need to configure the transform:

[route_to_test]
SOURCE_KEY=MetaData:Host
DEST_KEY=_MetaData:Index
REGEX=^host::(10\.10\.10\.\d+)$
FORMAT=test
WRITE_META=true

and you could use the sourcetype or source in the props:

[syslog]
TRANSFORMS-test = route_to_test

or

[source::udp:514]
TRANSFORMS-test = route_to_test
link

answered 22 Sep '10, 13:47

ziegfried's gravatar image

ziegfried ♦
10.1k1618
accept rate: 52%

edited 22 Sep '10, 19:03

So how would you do multiple subnets (or hosts) to multiple indexes then coming in on a syslog stream?

(22 Sep '10, 14:36) dkoski

Like this: REGEX=^host::(10.10.10.d+|192.168.0.d+)$

(22 Sep '10, 14:44) ziegfried ♦

You could probably use your approach with the WRITE_META=true stuff as well. Didn't try that one exactly myself.

(22 Sep '10, 14:46) ziegfried ♦

No, you don't need WRITE_META = true if writing to the _MetaData:Index DEST_KEY.

(22 Sep '10, 18:32) gkanapathy ♦

Are you sure? I experienced it in the past that it did not work without the WRITE_META...

(22 Sep '10, 18:38) ziegfried ♦
0

Does the REGEX statement require a capture group here? I can't remember...

What happens if you change it to:

REGEX = (.)
link

answered 22 Sep '10, 13:46

southeringtonp's gravatar image

southeringtonp ♦
4.9k2524
accept rate: 35%

0

Really though, it seems to me his original solution should work as long as the incoming host name is in fact 10.10.10.*. I guess I would set the sourcetype to something not syslog (something that doesn't set the host) so you can see what's in the incoming data to be sure.

Oh, wait. Can you try:

TRANSFORMS-test = route_to_test

instead of:

TRANSFORM-test = route_to_test

And also as southeringtonp suggests, do not use the regex .*, use just .? or (?=) instead.

link

answered 22 Sep '10, 18:33

gkanapathy's gravatar image

gkanapathy ♦
32.4k4827
accept rate: 41%

edited 22 Sep '10, 18:44

0

Hey Guys,

I have same question I have 4 hosts 2 development and 2 production. I have created two index dev & prod.

I am using syslog TCP 514 port so how should i transfer production logs on prod and dev logs on dev index ?

I tried every combination but no luck... please help to find solution.

link

answered 10 Mar '11, 15:53

satishp's gravatar image

satishp
1114
accept rate: 0%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×454

Asked: 22 Sep '10, 13:40

Seen: 1,876 times

Last updated: 10 Mar '11, 15:53

Related questions

How to route to separate indexes based on host:: when forwarding to a indexer from SplunkLightForwarders

Routing to index based on host, etc.

Route data to index based on host

Move input to different index

routing remote syslog data to different indexes

Route syslog data to specific index by host

Routing syslog streams to different index

Process to copy index from one Windows Server to another

How to sending Cisco IPS logs to a different index

Copyright © 2005-2012 Splunk Inc. All rights reserved.