The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.
Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.
Previous Topic: Splunk to monitor a directory size change(fschange) | Next Topic: Sync splunk db with rsync
Posts 1–5 of 5
Hello
I have a problem with Splunk 3.4.3 on Windows and remote wmi.
Here I will index the application log
I would like to split, different hosts in different indexes but in wmi.conf, I have no option to configure index=xyz.
My first idea is to work with props and transforms.conf on the indexing server site and point a regex on computername=mycomputer and move this messages to a different index
Maybe anyone has a better solution for my problem ?
Thanks
Rob
Can you explain why you want to split different hosts into different indexes?
I would split systems wich refers to a specific project
That I have one Index with logs from application, OS sytem and others which belongs to a specific product
I have read a post that wmi remote events have a specific behaviour at transformation time
Now I have configured my props.conf
[wmi]
TRANSFORMS-index = WinSec_Maschine1
and my transforms.conf
[WinSec_Maschine1]
REGEX = ComputerName[=]Maschine1
DEST_KEY = _MetaData:Index
FORMAT = index_project1
but this don't work. I have tried a few regex combinations without success
Do you see any failure ?
Thanks
Rob
I'm not sure about your regex. what exactly are you trying match on?