https://community.splunk.com/t5/Getting-Data-In/Can-splunktcp-XXX-be-forced-to-a-specific-index/m-p/69700#M14155 <P>The "splunktcp" input is not a "data" input, but instead an input to listen to Splunk Forwarders.</P> <P>Instead you can do one of the following:</P> <OL> <LI><P>Set this in the Forwarder's inputs.conf for each stanza, i.e.:</P> <P>[monitor:///var/log]<BR /> disabled = false<BR /> index = blah</P></LI> <LI><P>Create a transform on the Indexer to override the _MetaData::index field at index time., i.e.</P> <P>$ cat transforms.conf<BR /> [setIndexMeta]<BR /> DEFAULT_VALUE = unknown<BR /> REGEX = .<BR /> DEST_KEY = _MetaData:Index<BR /> FORMAT = blah</P></LI> </OL> <P>...and you can call the transforms from props.conf by specifying a host, source or source type upon which to apply the transform.</P> Mon, 28 Sep 2020 11:23:02 GMT itinney 2020-09-28T11:23:02Z https://community.splunk.com/t5/Getting-Data-In/Can-splunktcp-XXX-be-forced-to-a-specific-index/m-p/69699#M14154 <P>Hi all</P> <P>I've configured the following in inputs.conf on our indexer:</P> <P><EM>[splunktcp://9998]<BR /><BR /> index=blah</EM></P> <P>The universal forwarders are configured to send to this port (I've disabled port 9997 on the indexer to be sure) however data still ends up in the main index.</P> <P>I've checked './bin/splunk cmd btool transforms list --debug' and there are no transforms redirecting to other indexes. The only reference to 'index' in our transforms is:</P> <P><EM>system [splunk_index_history]<BR /><BR /> system CAN_OPTIMIZE = True<BR /><BR /> system CLEAN_KEYS = True<BR /><BR /> system DEFAULT_VALUE = <BR /><BR /> system DEST_KEY = _MetaData:Index<BR /><BR /> system FORMAT = history<BR /><BR /> system KEEP_EMPTY_VALS = False<BR /><BR /> system LOOKAHEAD = 4096<BR /><BR /> system MV_ADD = False<BR /><BR /> system REGEX = .<BR /><BR /> system SOURCE_KEY = _raw<BR /><BR /> system WRITE_META = False<BR /></EM></P> <P>... which shouldn't cause any problems.</P> <P>Does anyone know why that global input stanza isn't working?</P> <P>Many thanks</P> <P>Jim</P> Mon, 28 Sep 2020 11:22:52 GMT https://community.splunk.com/t5/Getting-Data-In/Can-splunktcp-XXX-be-forced-to-a-specific-index/m-p/69699#M14154 jimcroft 2020-09-28T11:22:52Z https://community.splunk.com/t5/Getting-Data-In/Can-splunktcp-XXX-be-forced-to-a-specific-index/m-p/69700#M14155 <P>The "splunktcp" input is not a "data" input, but instead an input to listen to Splunk Forwarders.</P> <P>Instead you can do one of the following:</P> <OL> <LI><P>Set this in the Forwarder's inputs.conf for each stanza, i.e.:</P> <P>[monitor:///var/log]<BR /> disabled = false<BR /> index = blah</P></LI> <LI><P>Create a transform on the Indexer to override the _MetaData::index field at index time., i.e.</P> <P>$ cat transforms.conf<BR /> [setIndexMeta]<BR /> DEFAULT_VALUE = unknown<BR /> REGEX = .<BR /> DEST_KEY = _MetaData:Index<BR /> FORMAT = blah</P></LI> </OL> <P>...and you can call the transforms from props.conf by specifying a host, source or source type upon which to apply the transform.</P> Mon, 28 Sep 2020 11:23:02 GMT https://community.splunk.com/t5/Getting-Data-In/Can-splunktcp-XXX-be-forced-to-a-specific-index/m-p/69700#M14155 itinney 2020-09-28T11:23:02Z https://community.splunk.com/t5/Getting-Data-In/Can-splunktcp-XXX-be-forced-to-a-specific-index/m-p/69701#M14156 <P>Thanks itinney</P> <P>So is the documentation for inputs.conf wrong or am I just reading it wrong? It says that 'index = ' is general setting and...</P> <P><EM>The following attribute/value pairs are valid for all input types (except file system change monitor,<BR /> which is described in a separate section in this file)</EM> </P> <P>There's no indication that it shouldn't work with [splunktcp://XXXX] stanzas.</P> <P>Do you mind if I run my use case by you and see if you have any ideas?</P> <P>We're a managed service provider looking after various customers AWS estates. We collect their logs in Splunk. I'm building a new Splunk 4.3 setup and reviewing all the reports, security, etc.</P> <P>What I'm trying to achieve is some kind of security and data isolation around receiving data from the forwarders. There are two main issues I'm trying resolve:</P> <OL> <LI>We cannot guarantee hostname uniqueness across clients (so I want a separate index per client).</LI> <LI>Some clients are have admin rights to some servers meaning I cannot rely 100% on them not tampering with the forwarder config. So I want to rely on the [splunktcp://XXXX] port they (any only they) have access to.</LI> </OL> <P>What I wanted to do was setup a specific listener port per client and have that listener directed to the clients index. And I'd like this enforced at the indexer rather than forwarder.</P> <P>Is this at all possible or do I need to rethink this?</P> <P>Any thoughts you have would be welcome.</P> <P>Thanks</P> Fri, 10 Feb 2012 17:30:35 GMT https://community.splunk.com/t5/Getting-Data-In/Can-splunktcp-XXX-be-forced-to-a-specific-index/m-p/69701#M14156 jimcroft 2012-02-10T17:30:35Z https://community.splunk.com/t5/Getting-Data-In/Can-splunktcp-XXX-be-forced-to-a-specific-index/m-p/69702#M14157 <P>I know that this is a very old question. As much searching has not yielded an appropriate solution, I was curious as to your end result. I too would like to be able to enforce the destination index on the indexer as opposed to relying on the forwarder specifying it. It seems to me that allowing the forwarder specify the destination index is a bit of a secuirty issue as one is essentially relying on user input which is generally a security no-no.Did you ever come up with a solution do enforce the destination index on the indexer? Or did you wind up relying on the forwarder to specify it?</P> <P>Thanks much</P> Wed, 24 Oct 2012 21:12:16 GMT https://community.splunk.com/t5/Getting-Data-In/Can-splunktcp-XXX-be-forced-to-a-specific-index/m-p/69702#M14157 mce128 2012-10-24T21:12:16Z https://community.splunk.com/t5/Getting-Data-In/Can-splunktcp-XXX-be-forced-to-a-specific-index/m-p/69703#M14158 <P>Note that in itinney's answer, he says how to do this using transforms.conf</P> <P>If you are using Universal Forwarders, transforms.conf must be on the indexers. This would accomplish your goal.</P> <P>It will add overhead to the parsing to do it this way, though.</P> Wed, 24 Oct 2012 21:29:38 GMT https://community.splunk.com/t5/Getting-Data-In/Can-splunktcp-XXX-be-forced-to-a-specific-index/m-p/69703#M14158 lguinn2 2012-10-24T21:29:38Z https://community.splunk.com/t5/Getting-Data-In/Can-splunktcp-XXX-be-forced-to-a-specific-index/m-p/69704#M14159 <P>If the forwarder's inputs.conf defines an index, that will override the splunktcp setting for index destination.</P> <P>You may need a transforms.conf rule like the one cited above to enforce the "per host/port" destination index.</P> Wed, 24 Oct 2012 22:14:05 GMT https://community.splunk.com/t5/Getting-Data-In/Can-splunktcp-XXX-be-forced-to-a-specific-index/m-p/69704#M14159 sowings 2012-10-24T22:14:05Z https://community.splunk.com/t5/Getting-Data-In/Can-splunktcp-XXX-be-forced-to-a-specific-index/m-p/69705#M14160 <P>Thx so much, second solution is handy but look like a workaround.<BR /> First solution reflect how Splunk UF are meant to be configured to define a specific index for a source, and I totally missed that.</P> Mon, 18 May 2020 14:35:35 GMT https://community.splunk.com/t5/Getting-Data-In/Can-splunktcp-XXX-be-forced-to-a-specific-index/m-p/69705#M14160 broomcupboardsu 2020-05-18T14:35:35Z https://community.splunk.com/t5/Getting-Data-In/Can-splunktcp-XXX-be-forced-to-a-specific-index/m-p/562588#M100262 <P>"<SPAN>The "splunktcp" input is not a "data" input, but instead an input to listen to Splunk Forwarders."</SPAN></P><P>Thank you, this clarified the problem for me as I was experiencing the same issue.</P> Mon, 09 Aug 2021 14:10:32 GMT https://community.splunk.com/t5/Getting-Data-In/Can-splunktcp-XXX-be-forced-to-a-specific-index/m-p/562588#M100262 ephemeric 2021-08-09T14:10:32Z