All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Adding more stanzas to the same inputs.conf for the same script, but two destinations

jravida
Communicator
‎06-30-2014 01:39 PM

Hi folks,

I'm trying to utilize the nessus app to monitor two 'incoming' directories for *.nessus scan files dropped there. I want to use a different index for each scan depending on which 'incoming' folder the nessus scan is copied to.

My current inputs.conf looks like this:

[script:///opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus2splunk.py -s /opt/splunk/scans/domainA/incoming -t /opt/splunk/scans/domainA/parsed]
disabled = false
interval = 120

[batch:///opt/splunk/scans/domainA/parsed]
index = domainA
source = domainA
sourcetype = nessus
move_policy = sinkhole
crcSalt =

So it just looks to one folder every two minutes, if it sees the file it runs the python script and drops it into the parsed folder (as far as I am aware) and ingests it.

I want to input domainB scans just the same, but I want them to go to a different index, but same nessus sourcetype.

Is there a way I can easily tell this inputs to treat a second folder different and apply different indexes or is it limited to one?

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎07-01-2014 06:15 AM

Yes, you can solve it this way, with a pair of scripted/batch input for each domain, as long as the paths to each are unique.

However, you might be happier using props.conf and transforms.conf to make the necessary routing rules based on the source in the event.

(transforms)
[index_domainA]
DEST_KEY=MetaData:Index
REGEX = .
FORMAT = domainA

[index_domainB]
DEST_KEY=MetaData:Index
REGEX = .
FORMAT = domainB


(props)
[source::/opt/splunk/scans/*domainA*]
TRANSFORMS-index=domainA

[source::/opt/splunk/scans/*domainB*]
TRANSFORMS-index=domainB

This requires, though, that the names of the scan report files have the domain in the file name it.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...