All Apps and Add-ons

Splunk Add-on for Nessus: Is it possible to change the default index from main for Nessus data?

bradp1234
Path Finder

I am successfully seeing Nessus data in Splunk, but all the data is going into the main index. I would like to put the data in a different index. Is this possible? Thanks.

1 Solution

kml_uvce
Builder

yes you can change the index name in inputs.conf file under stanza,
index = indexname
if you are using monitor in forwarder then use under monitor file names stanza, or you can put under other stanzas in indexer, means if you are using udp/tcp input then write index=indexname under [tcp] or [udp] or [splunktcp], see more info
http://docs.splunk.com/Documentation/Splunk/6.2.1/admin/inputsconf

let m e know if you have any questions

View solution in original post

bradp1234
Path Finder

tl;dr

put this in local/inputs.conf

[batch://$SPLUNK_HOME/var/spool/splunk]
index = yourindex

0 Karma

kml_uvce
Builder

yes you can change the index name in inputs.conf file under stanza,
index = indexname
if you are using monitor in forwarder then use under monitor file names stanza, or you can put under other stanzas in indexer, means if you are using udp/tcp input then write index=indexname under [tcp] or [udp] or [splunktcp], see more info
http://docs.splunk.com/Documentation/Splunk/6.2.1/admin/inputsconf

let m e know if you have any questions

View solution in original post

bradp1234
Path Finder

I tried the approach you are suggesting already in the local/inputs.conf file for the app, but it only changed the index for the scripts output (nessus2splunk) not the actual Nessus data's index. I would like the actual Nessus data to go into a different index. Thanks.

[script://./bin/nessus2splunk.py]
disabled = false
interval = 120
index = security
source = nessus2splunk
sourcetype = nessus2splunk

0 Karma

PlumpyChunq
New Member

This does not seem to work. I have the latest version of splunk and the latest version of Splunk_TA_nessus.
It always goes to the "main" index.

0 Karma

wolfbu
New Member

Yes, I have the same problem that couldn't be resolved, really need to do routeindex in transforms.conf?

0 Karma

robert_miller
Path Finder

Were you able to get this to work using transforms? I added the stanza below to my indexers and it is still not working properly.

[force_index_for_nessus]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = vulnerability

0 Karma

kml_uvce
Builder

can you please send me all inputs.conf content of the forwarder ...

0 Karma

bradp1234
Path Finder

Are you familiar with this app? It is not supposed to be installed on a forwarder. I have the Splunk indexer and search head installed on one machine. I think the app is using a batch input, but I am not able to find the stanza in the default/inputs.conf. I don't think you want me to send all the inputs.conf from my indexer.

0 Karma

kml_uvce
Builder

$SPLUNK_HOME/var/spool/splunk , this is the place from where your nexus files are read so you have to give your index details under monitor of this dir/file.

bradp1234
Path Finder

I added this in the local/inputs.conf file for the app, restarted splunk, and then processed another nessus file and it went into the correct index.

[batch://$SPLUNK_HOME/var/spool/splunk]
index = security

Thanks for the help.

0 Karma

robert_miller
Path Finder

If you add this stanza, everything in that spool directory will be sent to your index=security. Did you have to specify the nessus files in order to avoid that?

[batch://$SPLUNK_HOME/var/spool/splunk/*.nessus]
index = security

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!