Previous Topic: Splunk to monitor a directory size change(fschange) | Next Topic: Sync splunk db with rsync
Posts 1–5 of 5
| Post to this topic
Hello
I have a problem with Splunk 3.4.3 on Windows and remote wmi.
Here I will index the application log
I would like to split, different hosts in different indexes but in wmi.conf, I have no option to configure index=xyz.
My first idea is to work with props and transforms.conf on the indexing server site and point a regex on computername=mycomputer and move this messages to a different index
Maybe anyone has a better solution for my problem ?
Thanks
Rob
Can you explain why you want to split different hosts into different indexes?
I would split systems wich refers to a specific project
That I have one Index with logs from application, OS sytem and others which belongs to a specific product
I have read a post that wmi remote events have a specific behaviour at transformation time
Now I have configured my props.conf
[wmi]
TRANSFORMS-index = WinSec_Maschine1
and my transforms.conf
[WinSec_Maschine1]
REGEX = ComputerName[=]Maschine1
DEST_KEY = _MetaData:Index
FORMAT = index_project1
but this don't work. I have tried a few regex combinations without success
Do you see any failure ?
Thanks
Rob
You must be logged in to post a reply.
