Send specific events to an alternate index
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Send specific events to an alternate index
This example will send Windows Application events to an index called Application and keep the Windows Security events in the default index
In order to route the events correctly you will need to do 3 things:
- Identify a constant attribute in the event to key off of
- Create an entry in props.conf for that source (or sourcetype) that will call the appropriate regex
- Create a regex in regex.conf that when matches sends the event to the Application index
Identify an attribute
web1.example.com MSWinEventLog 1 Application 721 Wed Sep 06 17:05:31 2006 4156 MSDTC Unknown User N/A Information WEB1 Printers String message: Session idle timeout over, tearing down the session. 179 web1.example.com MSWinEventLog 1 Security 722 Wed Sep 06 17:59:08 2006 576 Security SYSTEM User Success Audit WEB1 Privilege Use Special privileges assigned to new logon: User Name: Domain: Logon ID: (0x0,0x4F3C5880) Assigned: SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeChangeNotifyPrivilege SeAssignPrimaryTokenPrivilege 525
For this example we will use the Application field as our triggers
Create an entry in props.conf:
In $SPLUNK_HOME/etc/bundles/local/props.conf add the following stanza:
[windows_snare_syslog] REGEXES-index = Application
Create an entry in regexes.conf:
In $SPLUNK_HOME/etc/bundles/local/regexes.conf add the following stanza:
[Application]
REGEX = Application
DEST_KEY = _MetaData:Index
FORMAT = Application
This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.