- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Routing data to a specific index from a LWF
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Routing data to a specific index from a LWF
Tried a number of variations here but to no avail.
Situation: I have a number of UFs sending data onto a LWF which then sends all data onto my indexer. On my indexer i have created an index to store the data. I am trying to route all the data into this new index from the LWF and have had little luck so far.
On the LWF i placed the following global stanza in inputs.conf:
[default]
index=mynewindex
From what i have read, this should direct all data coming in from all the UF's into mynewindex sitting on the indexer. This does not work? I swapped out the LWF with a HF and still the same result? Am i missing something from my conf files?
This did work if i added the above stanza to the inputs.conf file located on the UF's but this is not the way i want to do it. I just want one entry to manage on my LWF/HF that can achieve the same result.
I appreciate any guidance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like you say, this only works in inputs.conf on the Splunk instance that originally picks up the event data. To change the index on a forwarding Splunk instance between the UF and the indexer, this forwarder needs to be a heavy forwarder so you can parse and rewrite the events' metadata. Once you have that, you add settings in props.conf and transforms.conf to rewrite which index events should go to. To create a default rule, this should do:
props.conf:
[default]
TRANSFORMS-index = setdefaultindex
transforms.conf:
[setdefaultindex]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = mynewindex
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use a SOURCE_KEY match in your setdefaultindex transform.
SOURCE_KEY = _MetaData:Index
REGEX = indexyouwantthistoapplyto
DEST_KEY = _MetaData:Index
FORMAT = mynewindexIt's a default rule, so it would rewrite everything.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Couple of q's on this:
1 - I only wish to receive UF win events into 'mynewindex' and not the splunkd stuff from the HF. What would be the best way to achieve this? Do i need splunkd info? If so can i redirect somewhere else?
2 - Would your solution also redirect syslogs into 'mynewindex' or does it just concern itself with tcp9997 data?
thanks
nick
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
