I am using a distributed Splunk Enterprise configuration with syslog data from multiple sources going to a central syslog server with a Universal Forwarder. The syslog sources are from separate customer servers and I need to maintain separation of data. The syslog data from the sources are going to individual log files, and I have log files forwarded to an Indexer such that the log sources belonging to the same customer are forwarded to the same Index so that I can use role based access controls per index. This works great. However, I now need to ingest log data from a load balancer that sits in front of all the customer servers such that only the logs for the customer's virtual IP only go to the customer's index. I have the syslog data from the load balancer going to the same syslog server with the same Universal Forwarder. I can't get the Transforms to properly parse and send the virtual IP events to the proper index, and I've tried all the example configurations I could find. This is what I currently have for the Props.conf and Transforms.conf on the Indexer.
**Props.conf**
[source::<*same source as used in the inputs.conf file on the Universal Forwarder*>]
TRANSFORMS-viprouting = customer 1, customer2, customer3
**Transforms.conf**
[customer1]
REGEX = "10.1.1.1"
DEST_KEY = _MetaData:Index
Format = customer1Index
WRITE_META = true
[customer2]
REGEX = "10.1.1.2"
DEST_KEY = _MetaData:Index
Format = customer2Index
WRITE_META = true
[customer3]
REGEX = "10.1.1.3"
DEST_KEY = _MetaData:Index
Format = customer3Index
WRITE_META = true
↧