I am successfully seeing Nessus data in Splunk, but all the data is going into the main index. I would like to put the data in a different index. Is this possible? Thanks.
yes you can change the index name in inputs.conf file under stanza,
index = indexname
if you are using monitor in forwarder then use under monitor file names stanza, or you can put under other stanzas in indexer, means if you are using udp/tcp input then write index=indexname under [tcp] or [udp] or [splunktcp], see more info
http://docs.splunk.com/Documentation/Splunk/6.2.1/admin/inputsconf
let m e know if you have any questions
tl;dr
put this in local/inputs.conf
[batch://$SPLUNK_HOME/var/spool/splunk]
index = yourindex
yes you can change the index name in inputs.conf file under stanza,
index = indexname
if you are using monitor in forwarder then use under monitor file names stanza, or you can put under other stanzas in indexer, means if you are using udp/tcp input then write index=indexname under [tcp] or [udp] or [splunktcp], see more info
http://docs.splunk.com/Documentation/Splunk/6.2.1/admin/inputsconf
let m e know if you have any questions
I tried the approach you are suggesting already in the local/inputs.conf file for the app, but it only changed the index for the scripts output (nessus2splunk) not the actual Nessus data's index. I would like the actual Nessus data to go into a different index. Thanks.
[script://./bin/nessus2splunk.py]
disabled = false
interval = 120
index = security
source = nessus2splunk
sourcetype = nessus2splunk
This does not seem to work. I have the latest version of splunk and the latest version of Splunk_TA_nessus.
It always goes to the "main" index.
Yes, I have the same problem that couldn't be resolved, really need to do routeindex in transforms.conf?
Were you able to get this to work using transforms? I added the stanza below to my indexers and it is still not working properly.
[force_index_for_nessus]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = vulnerability
can you please send me all inputs.conf content of the forwarder ...
Are you familiar with this app? It is not supposed to be installed on a forwarder. I have the Splunk indexer and search head installed on one machine. I think the app is using a batch input, but I am not able to find the stanza in the default/inputs.conf. I don't think you want me to send all the inputs.conf from my indexer.
$SPLUNK_HOME/var/spool/splunk , this is the place from where your nexus files are read so you have to give your index details under monitor of this dir/file.
I added this in the local/inputs.conf file for the app, restarted splunk, and then processed another nessus file and it went into the correct index.
[batch://$SPLUNK_HOME/var/spool/splunk]
index = security
Thanks for the help.
If you add this stanza, everything in that spool directory will be sent to your index=security. Did you have to specify the nessus files in order to avoid that?
[batch://$SPLUNK_HOME/var/spool/splunk/*.nessus]
index = security