https://community.splunk.com/t5/Splunk-Search/Receive-cooked-data-to-index-securitylogs/m-p/272026#M190166 <P>It sounds like you have it configured properly. I'd take the following steps to troubleshoot what might be going on:</P> <OL> <LI>Run tcpdump on the indexer where you have that input &amp; index configured, do you see traffic making its way to that indexer?</LI> <LI>Run netstat -an | grep 3514 on the indexer to ensure the port is open &amp; listening</LI> <LI>Examine the securitylogs index to ensure it's growing</LI> <LI>Run index=* source="tcp:3514" to see if it's going to a different index (you may want to run it on the search heads &amp; the indexers)</LI> <LI>Run index=_internal and search for anything relating to the cooked logs or a host configured to send logs to your indexers</LI> </OL> Sat, 02 Apr 2016 16:41:12 GMT niemesrw 2016-04-02T16:41:12Z https://community.splunk.com/t5/Splunk-Search/Receive-cooked-data-to-index-securitylogs/m-p/272023#M190163 <P>We have some Appliances (Open System Webproxy), they can send Splunk cooked data into Splunk.</P> <P>I want to receive the data to a restricted index (securitylogs).</P> <P>In a first try I configured the listening port in the Webui, Setting -&gt; Forwarding and receiving -&gt; Configure receiving -&gt; added Port 3514</P> <P>This was working but it was using the main index. So I've reconfigured it in the app "config_all_indexers":</P> <P>inputs.conf<BR /> [splunktcp://3514]<BR /> disabled = 0<BR /> index = securitylogs</P> <P>Then I used the "| delete" function to remove the data from the main index.</P> <P>Now I dont get any data from the appliances anymore and I've no idea why..</P> <P>Maybe someone can give me a hint whats the problem of my config?</P> Tue, 29 Sep 2020 09:17:05 GMT https://community.splunk.com/t5/Splunk-Search/Receive-cooked-data-to-index-securitylogs/m-p/272023#M190163 nicocin 2020-09-29T09:17:05Z https://community.splunk.com/t5/Splunk-Search/Receive-cooked-data-to-index-securitylogs/m-p/272024#M190164 <P>Did you configure the <CODE>securitylogs</CODE> index in <CODE>indexes.conf</CODE> on all of your indexers (and then restart them)?</P> Fri, 01 Apr 2016 14:54:14 GMT https://community.splunk.com/t5/Splunk-Search/Receive-cooked-data-to-index-securitylogs/m-p/272024#M190164 woodcock 2016-04-01T14:54:14Z https://community.splunk.com/t5/Splunk-Search/Receive-cooked-data-to-index-securitylogs/m-p/272025#M190165 <P>It is configured in the app config_all_indexers which is deployed to all indexers.</P> <P>I've restarted splunkd on all indexers.</P> Tue, 29 Sep 2020 09:17:14 GMT https://community.splunk.com/t5/Splunk-Search/Receive-cooked-data-to-index-securitylogs/m-p/272025#M190165 nicocin 2020-09-29T09:17:14Z https://community.splunk.com/t5/Splunk-Search/Receive-cooked-data-to-index-securitylogs/m-p/272026#M190166 <P>It sounds like you have it configured properly. I'd take the following steps to troubleshoot what might be going on:</P> <OL> <LI>Run tcpdump on the indexer where you have that input &amp; index configured, do you see traffic making its way to that indexer?</LI> <LI>Run netstat -an | grep 3514 on the indexer to ensure the port is open &amp; listening</LI> <LI>Examine the securitylogs index to ensure it's growing</LI> <LI>Run index=* source="tcp:3514" to see if it's going to a different index (you may want to run it on the search heads &amp; the indexers)</LI> <LI>Run index=_internal and search for anything relating to the cooked logs or a host configured to send logs to your indexers</LI> </OL> Sat, 02 Apr 2016 16:41:12 GMT https://community.splunk.com/t5/Splunk-Search/Receive-cooked-data-to-index-securitylogs/m-p/272026#M190166 niemesrw 2016-04-02T16:41:12Z https://community.splunk.com/t5/Splunk-Search/Receive-cooked-data-to-index-securitylogs/m-p/272027#M190167 <P>Thank you for the tips.</P> <P>I've changed nothing but now I'm receiving events.</P> <P>Unfortunately they go to the main index..</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/1193i5F2EB30FD4033F66/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>How can I change that?</P> Mon, 04 Apr 2016 07:03:52 GMT https://community.splunk.com/t5/Splunk-Search/Receive-cooked-data-to-index-securitylogs/m-p/272027#M190167 nicocin 2016-04-04T07:03:52Z https://community.splunk.com/t5/Splunk-Search/Receive-cooked-data-to-index-securitylogs/m-p/272028#M190168 <P>I've found another article that states "The "splunktcp" input is not a data input, but instead an input to listen to Splunk Forwarders."</P> <P>So I've configured it with props.conf and transforms.conf:</P> <P>props.conf<BR /> [mc_logs]<BR /> TRANSFORMS-index=sendtomyindex</P> <P>transforms.conf<BR /> [sendtomyindex]<BR /> SOURCE_KEY=_MetaData:Index<BR /> DEST_KEY=_MetaData:Index<BR /> REGEX=(.*)<BR /> FORMAT=securitylogs</P> <P>Now the data goes to the index "securitylogs". </P> Tue, 29 Sep 2020 09:17:31 GMT https://community.splunk.com/t5/Splunk-Search/Receive-cooked-data-to-index-securitylogs/m-p/272028#M190168 nicocin 2020-09-29T09:17:31Z