Hello.
I really hope someone on here will be able to help me out. Long story short I am having some difficulties renaming an index on some cooked data that is hitting my indexer with `transforms.conf` and `props.conf`. I am trying to rename it from `bottles` to `newindex`. Here is my current setup:
UF -> HWF -> Indexer
On the indexer, I have the following:
`$SPLUNK_HOME/etc/system/local/transforms.conf`:
[changeindex]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = newindex
`$SPLUNK_HOME/etc/system/local/props.conf`:
[host::splunk-uf]
TRANSFORMS-index = changeindex
(For what it is worth) `$SPLUNK_HOME/etc/system/local/inputs.conf`:
[default]
host = splunk-indexer
[splunktcp:9997]
connection_host=none
index = newindex
compressed=true
listenOnIPv6=no
The error the Splunk UI on the indexer is giving me when I send logs:
Received event for unconfigured/disabled/deleted index=bottles with source="source::/var/log/messages" host="host::splunk-uf" sourcetype="sourcetype::syslog". So far received events from 1 missing index(es).
**I have been sure to restart Splunk!**
Any help would be great appreciated. Thanks!
↧