All Apps and Add-ons

How do you set Cisco Add-on to a specific index?

wralph_EPACN
Explorer

I am looking at how to set a specific index for this add-on as we have multiple groups responsible for Cisco devices, and we do not want them to see each others logs.

Any idea how to do this?

0 Karma

skurasak1
Explorer

Did you ever get an anwer for this, I'm having the same problem, my universal forwarder sends it to my indexer to specific index, but the TA_cisco_ios doesn't  seem to do transform to correct the hostname for me.  I'm not clear on what specific change on TA props.conf or transform.conf to read the specific index.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

1. It's an old thread. It's often that people aren't even active on Answers after several years.

2. An index is just a place for events "storage". Whether props/transforms work or not is not index-specific (ok, it _can_ be made index-specific but you have to work to explicitly make it so; you can safely assume that it's a very very unlikely case).

So if your index-time mechanism doesn't work, it's either defined in a wrong place (where do you have your settings defined?) or is not written properly.

0 Karma

lakshman239
Influencer

create indexes.conf under etc/apps//local to have your index. Then in the inputs.conf, for that monitor stanza/syslog etc.. you can setup index and sourcetype.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...