Topics

| pdf version

Overview

Setting Up Data Inputs

Authentication

LDAP Authentication

Changing the Way Splunk Processes Your Data

Creating and Using Configuration Bundles

Configuring Your Sources

Splunk-2-Splunk Management

Integration

Managing Your Filesystem

How-To's

Toolbox

Splunk > The IT Search Company

Search and navigate IT data from applications, servers and network devices in real-time.
Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Download manuals in other languages

Documentation | Discussion | View source | History

Send specific events to an alternate index

This documentation does not apply to the most recent version of Splunk.

This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6

Send specific events to an alternate index

This example will send Windows Application events to an index called Application and keep the Windows Security events in the default index

In order to route the events correctly you will need to do 3 things:

Identify a constant attribute in the event to key off of
Create an entry in props.conf for that source (or sourcetype) that will call the appropriate regex
Create a regex in regex.conf that when matches sends the event to the Application index

Identify an attribute

web1.example.com	MSWinEventLog	1	Application	721	Wed Sep 06 17:05:31 2006
4156	MSDTC	Unknown User	N/A	Information	WEB1	Printers		String
message: Session idle timeout over, tearing down the session.	179
web1.example.com	MSWinEventLog	1	Security	722	Wed Sep 06 17:59:08 2006
576	Security	SYSTEM	User	Success Audit	WEB1	Privilege Use
Special privileges assigned to new logon:     User Name:      Domain:      Logon
ID: (0x0,0x4F3C5880)     Assigned: SeBackupPrivilege   SeRestorePrivilege
SeDebugPrivilege   SeChangeNotifyPrivilege   SeAssignPrimaryTokenPrivilege 525

For this example we will use the Application field as our triggers

Create an entry in props.conf:

In $SPLUNK_HOME/etc/bundles/local/props.conf add the following stanza:

	[windows_snare_syslog]
	REGEXES-index = Application

Create an entry in regexes.conf:

In $SPLUNK_HOME/etc/bundles/local/regexes.conf add the following stanza:

    
    [Application]
    REGEX = Application
    DEST_KEY = _MetaData:Index
    FORMAT = Application

Retrieved from "http://www.splunk.com/base/Documentation/2.2.6/Admin/SendSpecificEventsToAnAlternateIndex"

Start Prev: Index Specific Events Next: Strip syslog headers before processing

Categories: V:2.1 | V:2.2 | V:2.2.1 | V:2.2.3 | V:2.2.6

Revision: 207 Contact Privacy Policy Terms of Use Community content licensed under Creative Commons