Route specific events to an alternate index
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Route specific events to an alternate index
By default, events are sent to an index called main. However, you may wish to send specific events to other indexes. For example, if you want to segment data or you want to send voluminous event data from a noisy source to an index that is dedicated to receiving it. You can route data locally or route data you are receiving from remote sources or Splunk instances.
Note: when you place data in an alternate index, you must specify the index in your search with the index:: key:
index::fooTo configure routing all events from a particular data input to an alternate index, add
index = myindex
to the appropriate stanza in inputs. conf.
Example
[tail:///var/log] disabled = false index=myindex
If you do this on a forwarder, when the events reach the indexing instance they will be routed to the named index, which must already exist.
To configure routing only certain events to an alternate index, edit props.conf and transforms.conf on the local Splunk instance.
Configuration
- Identify an attribute of the event that can be used to separate it from others.
- Create an entry in props.conf for the source, source type or host and specify a TRANSFORMS class and a TRANSFORMS name. The class name refers to a regular expression stanza you will place in
transforms.conf. In this example, theTRANSFORMSclass name isindexand theTRANSFORMSname isAppRedirect.
- Create an entry in transforms.conf with a regular expression that matches the identified attributes (from step 1) and writes the alternate index name (in this example, Verbose) to the FORMAT key and sets the
DEST_KEYto specify the index attribute_MetaData:Index.
transforms.conf:
Add the following stanza to $SPLUNK_HOME/etc/bundles/local/transforms.conf:
[$UNIQUE_STANZA_NAME]
REGEX = $YOUR_CUSTOM_REGEX
DEST_KEY = _MetaData:Index
FORMAT = Verbose
Name your stanza with a $UNIQUE_STANZA_NAME. Add $YOUR_CUSTOM_REGEX based on the attribute you've identified.
props.conf :
Add the following stanza to $SPLUNK_HOME/etc/bundles/local/props.conf:
[<spec>] TRANSFORMS-$NAME = $UNIQUE_STANZA_NAME
<spec> can be:
- <sourcetype>, the sourcetype of an event
- host::<host>, where <host> is the host for an event
- source::<source>, where <source> is the source for an event
$name is whatever unique identifier you want to give to your transform.
$UNIQUE_STANZA_NAME must match the stanza name of the transform you just created in transforms.conf.
Example
Identify an attribute:
web1.example.com MSWinEventLog 1 Application 721 Wed Sep 06 17:05:31 2006 4156 MSDTC Unknown User N/A Information WEB1 Printers String message: Session idle timeout over, tearing down the session. 179 web1.example.com MSWinEventLog 1 Security 722 Wed Sep 06 17:59:08 2006 576 Security SYSTEM User Success Audit WEB1 Privilege Use Special privileges assigned to new logon: User Name: Domain: Logon ID: (0x0,0x4F3C5880) Assigned: SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeChangeNotifyPrivilege SeAssignPrimaryTokenPrivilege 525
For this example we will use the Application field as our trigger. A match on "Application" in the events from sourcetype {windows_snare_log} will cause the value assignments in the transforms stanza, AppRedirect. One assignment is the index name, verbose.
props.conf :
Add the following stanza to $SPLUNK_HOME/etc/bundles/local/props.conf:
[windows_snare_syslog] TRANSFORMS-index = AppRedirect
transforms.conf:
Add the following stanza to $SPLUNK_HOME/etc/bundles/local/transforms.conf:
[AppRedirect]
REGEX = Application
DEST_KEY = _MetaData:Index
FORMAT = Verbose
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 View the Article History for its revisions.