<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: split syslog data from multiple ip addresses  into separate indexes in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/split-syslog-data-from-multiple-ip-addresses-into-separate/m-p/137464#M28304</link>
    <description>&lt;P&gt;If you are commenting on answers you should place your comments against the appropriate answer to facilitate an easier discussion.  The "assign" remarks in the first answer are purely conversational, not part of the config text.&lt;/P&gt;</description>
    <pubDate>Fri, 25 Apr 2014 00:55:24 GMT</pubDate>
    <dc:creator>grijhwani</dc:creator>
    <dc:date>2014-04-25T00:55:24Z</dc:date>
    <item>
      <title>split syslog data from multiple ip addresses  into separate indexes</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/split-syslog-data-from-multiple-ip-addresses-into-separate/m-p/137460#M28300</link>
      <description>&lt;P&gt;I have multiple linux hosts sending syslog data (port 514) and want to split the data into different indexes based on ip address.  I know I can set this up with each sending to a different port, but expect to have more hosts in future so sending to different ports based on ip address could become confusing.&lt;/P&gt;

&lt;P&gt;I created a props.conf with&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[192.168.17.3]
sourcetype=abc

[192.168.17.4]
sourcetype=mail
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;but how do I tell splunk to send data from 192.168.17.3 to index abc?&lt;/P&gt;</description>
      <pubDate>Mon, 21 Apr 2014 20:28:47 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/split-syslog-data-from-multiple-ip-addresses-into-separate/m-p/137460#M28300</guid>
      <dc:creator>plj3736</dc:creator>
      <dc:date>2014-04-21T20:28:47Z</dc:date>
    </item>
    <item>
      <title>Re: split syslog data from multiple ip addresses  into separate indexes</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/split-syslog-data-from-multiple-ip-addresses-into-separate/m-p/137461#M28301</link>
      <description>&lt;P&gt;Here are the steps to achieve it, &lt;/P&gt;

&lt;OL&gt;
&lt;LI&gt;Create props.conf to override sourcettype and index. Sourcetype can not be specified under host stanza as you put above in props.conf.&lt;/LI&gt;
&lt;/OL&gt;

&lt;P&gt;Assume you are using automatic sourcetyping of the the syslog&lt;/P&gt;

&lt;P&gt;props.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[host::192.168.17.3]
TRANSFORMS-0force_index_sourcetype = 0force_index, 0force_sourcetype

[host::192.168.17.4]
TRANSFORMS=1force_index_sourcetype = 1force_index, 1force_sourcetype
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;transforms.conf&lt;/P&gt;

&lt;P&gt;assign abc index&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[0force_index]
SOURCE_KEY=MetaData:Host
REGEX=^192.168.17.3$
DEST_KEY=_MetaData:Index
FORMAT=abc
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;assign abc sourcetype&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[1force_sourcetype]
SOURCE_KEY=MetaData:Host
REGEX=^192.168.17.3$
DEST_KEY=MetaData:Sourcetype
FORMAT=abc
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;I have not tested this.&lt;/P&gt;</description>
      <pubDate>Mon, 21 Apr 2014 21:42:15 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/split-syslog-data-from-multiple-ip-addresses-into-separate/m-p/137461#M28301</guid>
      <dc:creator>kheli</dc:creator>
      <dc:date>2014-04-21T21:42:15Z</dc:date>
    </item>
    <item>
      <title>Re: split syslog data from multiple ip addresses  into separate indexes</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/split-syslog-data-from-multiple-ip-addresses-into-separate/m-p/137462#M28302</link>
      <description>&lt;P&gt;You query appears to be addressed in the answer to be found at &lt;A href="http://answers.splunk.com/answers/60972/split-syslog-input-into-multiple-indexes"&gt;http://answers.splunk.com/answers/60972/split-syslog-input-into-multiple-indexes&lt;/A&gt; with another variant to be found at &lt;A href="http://answers.splunk.com/answers/75939/split-syslog-udp514-from-multi-hosts-to-multi-indexes"&gt;http://answers.splunk.com/answers/75939/split-syslog-udp514-from-multi-hosts-to-multi-indexes&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;However, if you are running on Linux or similar (you don't specify), I would strongly recommend installing running &lt;A href="http://www.balabit.com/network-security/syslog-ng"&gt;syslog-ng&lt;/A&gt; (open-source edition should be good enough) as your syslog server, and configuring THAT to be your point of separation and configure your sources accordingly.  The native Splunk syslog service is very limited.&lt;/P&gt;</description>
      <pubDate>Tue, 22 Apr 2014 00:09:02 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/split-syslog-data-from-multiple-ip-addresses-into-separate/m-p/137462#M28302</guid>
      <dc:creator>grijhwani</dc:creator>
      <dc:date>2014-04-22T00:09:02Z</dc:date>
    </item>
    <item>
      <title>Re: split syslog data from multiple ip addresses  into separate indexes</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/split-syslog-data-from-multiple-ip-addresses-into-separate/m-p/137463#M28303</link>
      <description>&lt;P&gt;I've tried the suggestion from the first answer.  transforms.conf seems to have an issues with the assign statement.  Indication is this is not a valid statement.  I'm somewhat new to working with props and transforms and really novice with REGEX, therefore found the 2nd answer confusing.  I had looked at it before I posted the original question.&lt;/P&gt;

&lt;P&gt;I someone can help with why the assign statement doesn't work as noted above, would greatly appreciate.&lt;/P&gt;

&lt;P&gt;TIA&lt;/P&gt;</description>
      <pubDate>Thu, 24 Apr 2014 17:41:25 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/split-syslog-data-from-multiple-ip-addresses-into-separate/m-p/137463#M28303</guid>
      <dc:creator>plj3736</dc:creator>
      <dc:date>2014-04-24T17:41:25Z</dc:date>
    </item>
    <item>
      <title>Re: split syslog data from multiple ip addresses  into separate indexes</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/split-syslog-data-from-multiple-ip-addresses-into-separate/m-p/137464#M28304</link>
      <description>&lt;P&gt;If you are commenting on answers you should place your comments against the appropriate answer to facilitate an easier discussion.  The "assign" remarks in the first answer are purely conversational, not part of the config text.&lt;/P&gt;</description>
      <pubDate>Fri, 25 Apr 2014 00:55:24 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/split-syslog-data-from-multiple-ip-addresses-into-separate/m-p/137464#M28304</guid>
      <dc:creator>grijhwani</dc:creator>
      <dc:date>2014-04-25T00:55:24Z</dc:date>
    </item>
    <item>
      <title>Re: split syslog data from multiple ip addresses  into separate indexes</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/split-syslog-data-from-multiple-ip-addresses-into-separate/m-p/137465#M28305</link>
      <description>&lt;P&gt;Edited the above to make the configuration detail stand out from the conversational text.&lt;/P&gt;</description>
      <pubDate>Fri, 25 Apr 2014 00:57:31 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/split-syslog-data-from-multiple-ip-addresses-into-separate/m-p/137465#M28305</guid>
      <dc:creator>grijhwani</dc:creator>
      <dc:date>2014-04-25T00:57:31Z</dc:date>
    </item>
  </channel>
</rss>

