Splunk_TA_infoblox reset "sourcetype" of input events, in my case from "infoblox:file", to 3 different values -- infoblox:dns / :dhcp / :threatprotect.
I am trying to modify the TA to put those events into 2 different indexes: DHCP events to "ipam", others to "ipam-secure".
However I have not been able to do that. Here is what I have modified:
In props.conf:
[infoblox:dhcp]
TRANSFORMS-0_branch_index = infoblox_branch_index_ipam
. . . . . .
[infoblox:dns]
TRANSFORMS-0_branch_index = infoblox_branch_index_ipam_secure
. . . . . .
[infoblox:threatprotect]
TRANSFORMS-0_branch_index = infoblox_branch_index_ipam_secure
In transforms.conf:
[infoblox_branch_index_ipam]
REGEX = .*
DEST_KEY = _MetaData:Index
FORMAT = ipam
[infoblox_branch_index_ipam_secure]
REGEX = .*
DEST_KEY = _MetaData:Index
FORMAT = ipam-secure
The idea is basically, after an input event has its sourcetype reset as the TA already does, reset its index.
There are two TRANSFORMS for each raw event -- Should that work?
Should I have done it differently: adding more transform items in TRANSFORMS-0_branch_source_type for the [infoblox:file] sourcetype?
Any help is much appreciated! I'm running Splunk 7.0.3.
↧