https://community.splunk.com/t5/Getting-Data-In/Using-an-IP-range-in-Inputs-conf/m-p/101933#M21370 <P>I do not believe this possible. However, you can redirect inputs to different indexes, just not with inputs.conf. Here is how:</P> <P><STRONG>inputs.conf</STRONG> </P> <PRE><CODE>[tcp://:5000] connection_host = ip sourcetype = mixedinputs index=defaultIndex </CODE></PRE> <P><STRONG>props.conf</STRONG> </P> <PRE><CODE>[mixedinputs] TRANSFORM=separate_inputs1, separate_inputs2 </CODE></PRE> <P><STRONG>transforms.conf</STRONG> </P> <PRE><CODE>[separate_inputs1] SOURCE_KEY=MetaData:Host REGEX=host::192\.168\.1\.1 DEST_KEY=_MetaData:Index FORMAT=A [separate_inputs2] SOURCE_KEY=MetaData:Host REGEX=host::10\.1\.\d+\.\d+ DEST_KEY=_MetaData:Index FORMAT=B </CODE></PRE> <P>First, this assigns all inbound events from port 5000 to <CODE>defaultIndex</CODE> (whatever you want to call it). Then, as the data is processed, each event is examined. If the host field (ip) of an event matches the regular expression (REGEX), the event is reassigned to the index named in FORMAT.</P> <P>Note that you can write the REGEX to "wildcard" the octets, but I don't now how to use CIDR notation with regular expressions.</P> Thu, 25 Oct 2012 00:03:16 GMT lguinn2 2012-10-25T00:03:16Z https://community.splunk.com/t5/Getting-Data-In/Using-an-IP-range-in-Inputs-conf/m-p/101932#M21369 <P>Hey,</P> <P>I was hoping someone can clarify if an IP range to subnet can be used in Inputs.conf.</P> <P>For example all hosts on</P> <P>192.168.1.0/24 (192.168.1.0-192.168.1.254) go to index A.</P> <P>192.168.2.0/24 (192.168.2.0-192.168.2.254) goes to index B.</P> <P>I have read though the documentation but I can't seem to find anything. Also if it is possible what is the correct syntax for the file?</P> <P>[tcp://192.168.1.0/24:5000] </P> <P>[tcp://192.168.1.0-192.168.1.254:5000]</P> <P>If I have missed something in the documentation I apologise.</P> Wed, 24 Oct 2012 21:11:09 GMT https://community.splunk.com/t5/Getting-Data-In/Using-an-IP-range-in-Inputs-conf/m-p/101932#M21369 bongski 2012-10-24T21:11:09Z https://community.splunk.com/t5/Getting-Data-In/Using-an-IP-range-in-Inputs-conf/m-p/101933#M21370 <P>I do not believe this possible. However, you can redirect inputs to different indexes, just not with inputs.conf. Here is how:</P> <P><STRONG>inputs.conf</STRONG> </P> <PRE><CODE>[tcp://:5000] connection_host = ip sourcetype = mixedinputs index=defaultIndex </CODE></PRE> <P><STRONG>props.conf</STRONG> </P> <PRE><CODE>[mixedinputs] TRANSFORM=separate_inputs1, separate_inputs2 </CODE></PRE> <P><STRONG>transforms.conf</STRONG> </P> <PRE><CODE>[separate_inputs1] SOURCE_KEY=MetaData:Host REGEX=host::192\.168\.1\.1 DEST_KEY=_MetaData:Index FORMAT=A [separate_inputs2] SOURCE_KEY=MetaData:Host REGEX=host::10\.1\.\d+\.\d+ DEST_KEY=_MetaData:Index FORMAT=B </CODE></PRE> <P>First, this assigns all inbound events from port 5000 to <CODE>defaultIndex</CODE> (whatever you want to call it). Then, as the data is processed, each event is examined. If the host field (ip) of an event matches the regular expression (REGEX), the event is reassigned to the index named in FORMAT.</P> <P>Note that you can write the REGEX to "wildcard" the octets, but I don't now how to use CIDR notation with regular expressions.</P> Thu, 25 Oct 2012 00:03:16 GMT https://community.splunk.com/t5/Getting-Data-In/Using-an-IP-range-in-Inputs-conf/m-p/101933#M21370 lguinn2 2012-10-25T00:03:16Z https://community.splunk.com/t5/Getting-Data-In/Using-an-IP-range-in-Inputs-conf/m-p/101934#M21371 <P>Thanks for the tip, I will impletment it that way and let you know how I go.</P> Thu, 25 Oct 2012 12:06:16 GMT https://community.splunk.com/t5/Getting-Data-In/Using-an-IP-range-in-Inputs-conf/m-p/101934#M21371 bongski 2012-10-25T12:06:16Z https://community.splunk.com/t5/Getting-Data-In/Using-an-IP-range-in-Inputs-conf/m-p/101935#M21372 <P>why not just use the index stanza in inputs.conf on the forwarder, should work as well.</P> Thu, 25 Oct 2012 12:33:03 GMT https://community.splunk.com/t5/Getting-Data-In/Using-an-IP-range-in-Inputs-conf/m-p/101935#M21372 MuS 2012-10-25T12:33:03Z https://community.splunk.com/t5/Getting-Data-In/Using-an-IP-range-in-Inputs-conf/m-p/101936#M21373 <P>This worked great, the solution is a bit CPU intensive but worked exactly how I needed it to.</P> Mon, 29 Oct 2012 04:58:42 GMT https://community.splunk.com/t5/Getting-Data-In/Using-an-IP-range-in-Inputs-conf/m-p/101936#M21373 bongski 2012-10-29T04:58:42Z https://community.splunk.com/t5/Getting-Data-In/Using-an-IP-range-in-Inputs-conf/m-p/101937#M21374 <P>Yeah, the event-by-event processing will always cost more resources than the "index the whole input stream from this port" method. There is always a trade-off <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Mon, 29 Oct 2012 06:28:57 GMT https://community.splunk.com/t5/Getting-Data-In/Using-an-IP-range-in-Inputs-conf/m-p/101937#M21374 lguinn2 2012-10-29T06:28:57Z