https://answers.splunk.com/answers/50761/how-do-i-route-data-to-specific-index-based-on-a-field.html
2012/06/07 10:45:50 service=srvc1 server=node3 score=50 seq=55041
2012/06/07 10:45:50 service=srvc3 server=node1 score=17 seq=55042
2012/06/07 10:45:50 service=srvc2 server=node1 score=67 seq=55043
2012/06/07 10:45:50 service=srvc2 server=node4 score=43 seq=55044
2012/06/07 10:45:50 service=srvc3 server=node2 score=11 seq=55045
2012/06/07 10:45:50 service=srvc3 server=node2 score=60 seq=55046
2012/06/07 10:45:50 service=srvc1 server=node0 score=28 seq=55047
2012/06/07 10:45:50 service=srvc1 server=node0 score=4 seq=55048
Hi jeff,
I could get it work with the following config.
-
[sample1]
TRANSFORMS-index_routing = route_data_to_index_by_field_service -
[route_data_to_index_by_field_service]
REGEX = .service=(.?)[ ]
DEST_KEY = _MetaData:Index
FORMAT = $1 -
Result
$ ./splunk search 'index=* sourcetype=sample1 | head limit=10 | table index, service, server'
index service server
----- ------- ------
srvc2 srvc2 node1
srvc2 srvc2 node0
srvc3 srvc3 node1
srvc2 srvc2 node4
srvc3 srvc3 node0
srvc2 srvc2 node4
srvc2 srvc2 node0
srvc1 srvc1 node4
srvc2 srvc2 node1
srvc1 srvc1 node0 -
now I can move forward to configure RBAC thing... thanks!