Splunk Base : SplunkAdministration : #2797

Move WMI Input to different Indexes

gkanapathy — Fri, 05 Jun 2009 23:28:29 PDT

I'm not sure about your regex. what exactly are you trying match on?

Move WMI Input to different Indexes

RobertRi — Tue, 26 May 2009 04:40:53 PDT

I have read a post that wmi remote events have a specific behaviour at transformation time

Now I have configured my props.conf
[wmi]
TRANSFORMS-index = WinSec_Maschine1

and my transforms.conf
[WinSec_Maschine1]
REGEX = ComputerName[=]Maschine1
DEST_KEY = _MetaData:Index
FORMAT = index_project1

but this don't work. I have tried a few regex combinations without success
Do you see any failure ?

Thanks
Rob

Move WMI Input to different Indexes

RobertRi — Tue, 26 May 2009 01:57:56 PDT

I would split systems wich refers to a specific project
That I have one Index with logs from application, OS sytem and others which belongs to a specific product

Move WMI Input to different Indexes

gkanapathy — Mon, 25 May 2009 17:53:24 PDT

Can you explain why you want to split different hosts into different indexes?

Move WMI Input to different Indexes

RobertRi — Mon, 25 May 2009 06:15:26 PDT

Hello

I have a problem with Splunk 3.4.3 on Windows and remote wmi.
Here I will index the application log
I would like to split, different hosts in different indexes but in wmi.conf, I have no option to configure index=xyz.

My first idea is to work with props and transforms.conf on the indexing server site and point a regex on computername=mycomputer and move this messages to a different index

Maybe anyone has a better solution for my problem ?

Thanks
Rob