Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Index Netflow log into a dedicated index
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Index Netflow log into a dedicated index
Hi,
I have Splunk App Stream (splunk_app_stream) and Splunk Add-on for Stream Forwarders (splunk_TA_stream) installed on the single Splunk instance where server is acting as both indexer and search head.
Splunk App Stream offers various streams out of the box, including Netflow. I've managed to get the Netflow data into the Splunk App Stream using streamfwd.conf on port 2055.
Netflow stream offered by Splunk App Stream out of the box index data into default index, i would like to change it to a my own dedicated index 'Netflow_logs'. The Splunk App Stream UI offers ac drop down to select your own preferred option, i would like to do this with changing or editing the config file or file manipulation in the /opt/splunk/etc/apps/ splunk_app_stream or in the /opt/splunk/etc/apps/splunk_TA_stream - not through the UI, not not keen to the API either.
If we are not allowed to edit the out of the box netflow stream offered by Splunk App Stream, is there a way to create a new config file which will configure new stream for example 'netflow_stream' and have it to index into 'netflow_logs' index using file manipulation?
Can someone share some thoughts if this can be achieved using file manipulation? Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you it was great help, appreciated
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if it helped, I would really appreciate if you could pick my response as solution. Happy Splunking 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't have a stream app and my lab is not suitable for this at this time. However, I believe we can find the solution after a btool run: Could you run below on the CLI and find where it registers selected index in your server
(I would expect there is an indexes.conf file bundled with the app, and inputs.conf file pointing to that index):
Test below after picking an index from dropdown and grep below for this selected index:
#Find which indexes.conf for the picked index is stored
$SPLUNK_HOME$/bin/splunk btool indexes list --debug
#Find where is the inputs.conf pointing for the same
$SPLUNK_HOME$/bin/splunk btool inputs list --debug
This should point you to right place
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
