<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic How do I get Splunk to forward syslogs from a certain host to a different Index using the Web GUI? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/How-do-I-get-Splunk-to-forward-syslogs-from-a-certain-host-to-a/m-p/376378#M93944</link>
    <description>&lt;P&gt;Hi,&lt;/P&gt;

&lt;P&gt;How do I get Splunk to forward syslogs from a certain host to a different Index using the Web GUI?  &lt;/P&gt;

&lt;P&gt;They are all coming in on port UDP 514 from a Windows forwarder. I want all of this in main apart from syslogs from a certain IP which I want to go into a new index.&lt;/P&gt;

&lt;P&gt;It seems to keep complaining that port 514 is already in use which it is but I want&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;all hosts UDP\514 &amp;gt; main index
x.x.x.x UDP/514 &amp;gt; new index
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Thanks for any help, I'm new to this!&lt;/P&gt;

&lt;P&gt;Cheers,&lt;BR /&gt;
Steve.&lt;/P&gt;</description>
    <pubDate>Mon, 05 Nov 2018 09:10:55 GMT</pubDate>
    <dc:creator>sworton</dc:creator>
    <dc:date>2018-11-05T09:10:55Z</dc:date>
    <item>
      <title>How do I get Splunk to forward syslogs from a certain host to a different Index using the Web GUI?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-do-I-get-Splunk-to-forward-syslogs-from-a-certain-host-to-a/m-p/376378#M93944</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;

&lt;P&gt;How do I get Splunk to forward syslogs from a certain host to a different Index using the Web GUI?  &lt;/P&gt;

&lt;P&gt;They are all coming in on port UDP 514 from a Windows forwarder. I want all of this in main apart from syslogs from a certain IP which I want to go into a new index.&lt;/P&gt;

&lt;P&gt;It seems to keep complaining that port 514 is already in use which it is but I want&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;all hosts UDP\514 &amp;gt; main index
x.x.x.x UDP/514 &amp;gt; new index
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Thanks for any help, I'm new to this!&lt;/P&gt;

&lt;P&gt;Cheers,&lt;BR /&gt;
Steve.&lt;/P&gt;</description>
      <pubDate>Mon, 05 Nov 2018 09:10:55 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-do-I-get-Splunk-to-forward-syslogs-from-a-certain-host-to-a/m-p/376378#M93944</guid>
      <dc:creator>sworton</dc:creator>
      <dc:date>2018-11-05T09:10:55Z</dc:date>
    </item>
    <item>
      <title>Re: How do I get Splunk to forward syslogs from a certain host to a different Index using the Web GUI?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-do-I-get-Splunk-to-forward-syslogs-from-a-certain-host-to-a/m-p/376379#M93945</link>
      <description>&lt;P&gt;I don't know of any way to do this from the GUI.  You may need to get into the backend to update the app. &lt;/P&gt;

&lt;P&gt;1) Find where your current inputs.conf file is located on the server.   The best place to look is /opt/splunk/etc/apps/search/local/input.conf for linux.&lt;/P&gt;

&lt;P&gt;2)Find the stanza that starts like this:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[tcp://:514]
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;3) Above that put in a new stanza that looks like this.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[tcp://&amp;lt;put server ip here&amp;gt;:514]
index = &amp;lt;new index name here&amp;gt;
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;4) Restart splunk from the webui&lt;/P&gt;

&lt;P&gt;You may need to add or removed fields to get the desired results.  Here is the documentation page.&lt;BR /&gt;
&lt;A href="http://docs.splunk.com/Documentation/Splunk/7.2.0/Admin/Inputsconf#inputs.conf.example"&gt;http://docs.splunk.com/Documentation/Splunk/7.2.0/Admin/Inputsconf#inputs.conf.example&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 05 Nov 2018 20:38:54 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-do-I-get-Splunk-to-forward-syslogs-from-a-certain-host-to-a/m-p/376379#M93945</guid>
      <dc:creator>miwade</dc:creator>
      <dc:date>2018-11-05T20:38:54Z</dc:date>
    </item>
    <item>
      <title>Re: How do I get Splunk to forward syslogs from a certain host to a different Index using the Web GUI?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-do-I-get-Splunk-to-forward-syslogs-from-a-certain-host-to-a/m-p/376380#M93946</link>
      <description>&lt;P&gt;&lt;A href="https://answers.splunk.com/answers/1026/route-data-to-index-based-on-host.html"&gt;https://answers.splunk.com/answers/1026/route-data-to-index-based-on-host.html&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;&lt;A href="https://answers.splunk.com/answers/30585/route-syslog-data-to-specific-index-by-host.html"&gt;https://answers.splunk.com/answers/30585/route-syslog-data-to-specific-index-by-host.html&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;The above answers should help what you are looking for.&lt;/P&gt;</description>
      <pubDate>Mon, 05 Nov 2018 21:39:16 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-do-I-get-Splunk-to-forward-syslogs-from-a-certain-host-to-a/m-p/376380#M93946</guid>
      <dc:creator>Rob2520</dc:creator>
      <dc:date>2018-11-05T21:39:16Z</dc:date>
    </item>
    <item>
      <title>Re: How do I get Splunk to forward syslogs from a certain host to a different Index using the Web GUI?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-do-I-get-Splunk-to-forward-syslogs-from-a-certain-host-to-a/m-p/376381#M93947</link>
      <description>&lt;P&gt;hi @sworton&lt;/P&gt;

&lt;P&gt;Did either of the answers below solve your problem? If so, please resolve approving one of them. If your problem is still not solved, keep us updated so that someone else can help ya. Thanks!&lt;/P&gt;</description>
      <pubDate>Tue, 06 Nov 2018 22:46:05 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-do-I-get-Splunk-to-forward-syslogs-from-a-certain-host-to-a/m-p/376381#M93947</guid>
      <dc:creator>mstjohn_splunk</dc:creator>
      <dc:date>2018-11-06T22:46:05Z</dc:date>
    </item>
  </channel>
</rss>

