Route events to specific indexes

Route events to specific indexes

By default, Splunk sends all events to an index called main. However, you may want to send specific events to other indexes. For example, you might want to segment data or to send event data from a noisy source to an index that is dedicated to receiving it. You can route data locally or route data you are receiving from remote sources or Splunk instances.

Note: When you place data in an alternate index, you must specify the index in your search with the index= command when you want to search that index:

Send all events from a data input to a specific index

To configure routing for all events from a particular data input to an alternate index, add the following to the appropriate stanza in inputs.conf.

index = myindex

Example

The following example inputs.conf entry routes data to index = fflanda:

[monitor:///var/log]
disabled = false
index = fflanda

If you specify a different index on the forwarder, when the events reach the indexing instance they will be routed to the named index, which must already exist.

Route specific events to a different index

To configure routing for certain events to an alternate index, edit props.conf and transforms.conf on the local Splunk instance.

1. Identify an attribute of the event that can be used to separate it from others.

2. Create an entry in props.conf for the source, source type or host and specify a TRANSFORMS class and a TRANSFORMS name. The class name refers to a regular expression stanza you will place in transforms.conf.

In this example, the TRANSFORMS class name is index and the TRANSFORMS name is AppRedirect.

3. Create an entry in transforms.conf with a regular expression that matches the identified attributes (from step 1) and writes the alternate index name (in this example, Verbose) to the FORMAT key and sets the DEST_KEY to specify the index attribute _MetaData:Index.

Edit props.conf

Add the following stanza to $SPLUNK_HOME/etc/system/local/props.conf:

[<spec>]
TRANSFORMS-$NAME = $UNIQUE_STANZA_NAME

<spec> can be:

• <sourcetype>, the sourcetype of an event
• host::<host>, where <host> is the host for an event
• source::<source>, where <source> is the source for an event

$NAME is whatever unique identifier you want to give to your transform.

Edit transforms.conf

Add the following stanza to $SPLUNK_HOME/etc/system/local/transforms.conf:

[$UNIQUE_STANZA_NAME]
REGEX = $YOUR_CUSTOM_REGEX
DEST_KEY = _MetaData:Index
FORMAT = Verbose

Name your stanza with $UNIQUE_STANZA_NAME to match the name you specified in props.conf. Add $YOUR_CUSTOM_REGEX based on the attribute you've identified.

Example

Identify an attribute

web1.example.com	MSWinEventLog	1	Application	721	Wed Sep 06 17:05:31 2006
4156	MSDTC	Unknown User	N/A	Information	WEB1	Printers		String
message: Session idle timeout over, tearing down the session.	179
web1.example.com	MSWinEventLog	1	Security	722	Wed Sep 06 17:59:08 2006
576	Security	SYSTEM	User	Success Audit	WEB1	Privilege Use
Special privileges assigned to new logon:     User Name:      Domain:      Logon
ID: (0x0,0x4F3C5880)     Assigned: SeBackupPrivilege   SeRestorePrivilege
SeDebugPrivilege   SeChangeNotifyPrivilege   SeAssignPrimaryTokenPrivilege 525

For this example we will send events to a new index depending on what log type it is. "Application" logs will go to a new index, but other types, such as "Security" will go to the default index. A match on "Application" in the appropriate place in the the events of our sourcetype {windows_snare_log} will cause the value assignments in the transforms stanza, AppRedirect. Our assignment is the index name, "applogindex".

Example: edit props.conf

Add the following stanza to $SPLUNK_HOME/etc/system/local/props.conf:

[windows_snare_syslog]
TRANSFORMS-index = AppRedirect

Example: edit transforms.conf

Add the following stanza to $SPLUNK_HOME/etc/system/local/transforms.conf:

    
[AppRedirect]
REGEX = MSWinEventLog\s+\d+\s+Application
DEST_KEY = _MetaData:Index
FORMAT = applogindex

• Was this topic useful?
• Post a comment