https://community.splunk.com/t5/All-Apps-and-Add-ons/Symantec-Data-Loss-Prevention-DLP-How-to-specify-a-certain-index/m-p/177389#M17279 <P>Welcome to Splunk! Good question.. </P> <P>You can find what you are looking for here.<BR /> <A href="http://answers.splunk.com/answers/1090/how-do-i-forward-data-to-a-specific-index.html">http://answers.splunk.com/answers/1090/how-do-i-forward-data-to-a-specific-index.html</A></P> Tue, 18 Aug 2015 18:28:22 GMT shandman 2015-08-18T18:28:22Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Symantec-Data-Loss-Prevention-DLP-How-to-specify-a-certain-index/m-p/177388#M17278 <P>Newcomer to Splunk, just took the "Using Splunk" course and trying to learn how all of the pieces fit together.</P> <P>I installed the Symantec DLP application, and set it up according to the documentation. It uses syslog to send events (incidents) into Splunk. I just got a couple of Events to show up in Splunk, so that's exciting!</P> <P>However, it appears that the App is only looking for them in a "dlp" index. These events are coming into my "main" index. How do I map that all events logged via this host should go into a "dlp" index?</P> <P>Thanks!</P> Tue, 18 Aug 2015 18:18:57 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Symantec-Data-Loss-Prevention-DLP-How-to-specify-a-certain-index/m-p/177388#M17278 pickerin 2015-08-18T18:18:57Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Symantec-Data-Loss-Prevention-DLP-How-to-specify-a-certain-index/m-p/177389#M17279 <P>Welcome to Splunk! Good question.. </P> <P>You can find what you are looking for here.<BR /> <A href="http://answers.splunk.com/answers/1090/how-do-i-forward-data-to-a-specific-index.html">http://answers.splunk.com/answers/1090/how-do-i-forward-data-to-a-specific-index.html</A></P> Tue, 18 Aug 2015 18:28:22 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Symantec-Data-Loss-Prevention-DLP-How-to-specify-a-certain-index/m-p/177389#M17279 shandman 2015-08-18T18:28:22Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Symantec-Data-Loss-Prevention-DLP-How-to-specify-a-certain-index/m-p/177390#M17280 <P>This is a great solution if you have a forwarder that you're using.<BR /> Unfortunately, I have an appliance that is sending syslog data on UDP 514 to the Indexer.<BR /> So, I'm looking for a solution that can be implemented on the Indexer only.</P> <P>I guess I could create a custom index that listens on and accepts syslog from a unique port, then assign that port the index, but I was hoping for something a little more straightforward (as that solution also requires changing firewalls to open up additional ports).</P> <P>I was hoping that I could just map the hostname to a specific index, as that hostname is never forwarding anything for a different index.</P> Tue, 18 Aug 2015 21:11:53 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Symantec-Data-Loss-Prevention-DLP-How-to-specify-a-certain-index/m-p/177390#M17280 pickerin 2015-08-18T21:11:53Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Symantec-Data-Loss-Prevention-DLP-How-to-specify-a-certain-index/m-p/177391#M17281 <P>Answer: The only solution if you wish to send the data directly to the indexer is to do so on a custom port, so you can specific a unique index and sourcetype. </P> <P>Solution: I moved the logs to the syslog aggregator, where I could monitor the path and provide a unique index and sourcetype, then that host is a universal forwarder to the index. Works great (but requires two systems).</P> Fri, 02 Oct 2015 12:09:04 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Symantec-Data-Loss-Prevention-DLP-How-to-specify-a-certain-index/m-p/177391#M17281 pickerin 2015-10-02T12:09:04Z