Hello.
I really hope someone on here will be able to help me out. Long story short: I am having some difficulties renaming an index on some cooked data that is hitting my indexer with `transforms.conf` and `props.conf`. I am trying to rename it from `bottles` to `newindex`.
On the indexer, I have the following:
`$SPLUNK_HOME/etc/system/local/transforms.conf`:
[changeindex]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = newindex
`$SPLUNK_HOME/etc/system/local/props.conf`:
[host::splunk-uf]
TRANSFORMS-index = changeindex
(For what it is worth) `$SPLUNK_HOME/etc/system/local/inputs.conf`:
[default]
host = splunk-indexer
[splunktcp:9997]
connection_host=none
index = newindex
compressed=true
listenOnIPv6=no
The error Splunk Web on the indexer is giving me when I send logs:
Received event for unconfigured/disabled/deleted index=bottles with source="source::/var/log/messages" host="host::splunk-uf" sourcetype="sourcetype::syslog". So far received events from 1 missing index(es).
**I have been sure to restart Splunk!**
Any help would be great appreciated. Thanks!
EDIT: Some more info:
Basically, I need to be able to send data from a Universal Forwarder (UF), via a Heavy Forwarder (HWF) to two indexers. The data needs to be indexed under different indexes on each indexer. I have UF that forwards data to a HWF. The HWF forwarder does some transforms on the data to anonymize some components of it. It then forwards data to `Indexer1` and `Indexer2` using `TCP ROUTING`. I have been asked to send data to the `bottles` index on `Indexer1` and to `newindex` on `Indexer2`. I have no control over `Indexer1` hence why I have set the index to be `bottles` on the UF and need the HWF to do the anonymizing of data as I don't have control over `Indexer1`. Thus, I am trying to transform the data hitting `Indexer2` to change the index name to `newindex`.
↧