Solved: Re: Splunk Add-on for Nessus: Is it possible to ch...

bradp1234 · ‎02-21-2015

I am successfully seeing Nessus data in Splunk, but all the data is going into the main index. I would like to put the data in a different index. Is this possible? Thanks.

kml_uvce · ‎02-21-2015

yes you can change the index name in inputs.conf file under stanza,
index = indexname
if you are using monitor in forwarder then use under monitor file names stanza, or you can put under other stanzas in indexer, means if you are using udp/tcp input then write index=indexname under [tcp] or [udp] or [splunktcp], see more info
http://docs.splunk.com/Documentation/Splunk/6.2.1/admin/inputsconf

let m e know if you have any questions

View solution in original post

bradp1234 · ‎02-22-2015

tl;dr

put this in local/inputs.conf

[batch://$SPLUNK_HOME/var/spool/splunk]
index = yourindex

kml_uvce · ‎02-21-2015

yes you can change the index name in inputs.conf file under stanza,
index = indexname
if you are using monitor in forwarder then use under monitor file names stanza, or you can put under other stanzas in indexer, means if you are using udp/tcp input then write index=indexname under [tcp] or [udp] or [splunktcp], see more info
http://docs.splunk.com/Documentation/Splunk/6.2.1/admin/inputsconf

let m e know if you have any questions

bradp1234 · ‎02-21-2015

I tried the approach you are suggesting already in the local/inputs.conf file for the app, but it only changed the index for the scripts output (nessus2splunk) not the actual Nessus data's index. I would like the actual Nessus data to go into a different index. Thanks.

[script://./bin/nessus2splunk.py]
disabled = false
interval = 120
index = security
source = nessus2splunk
sourcetype = nessus2splunk

PlumpyChunq · ‎10-09-2015

This does not seem to work. I have the latest version of splunk and the latest version of Splunk_TA_nessus.
It always goes to the "main" index.

wolfbu · ‎06-04-2015

Yes, I have the same problem that couldn't be resolved, really need to do routeindex in transforms.conf?

robert_miller · ‎12-08-2015

Were you able to get this to work using transforms? I added the stanza below to my indexers and it is still not working properly.

[force_index_for_nessus]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = vulnerability

kml_uvce · ‎02-21-2015

can you please send me all inputs.conf content of the forwarder ...

bradp1234 · ‎02-21-2015

Are you familiar with this app? It is not supposed to be installed on a forwarder. I have the Splunk indexer and search head installed on one machine. I think the app is using a batch input, but I am not able to find the stanza in the default/inputs.conf. I don't think you want me to send all the inputs.conf from my indexer.

kml_uvce · ‎02-21-2015

$SPLUNK_HOME/var/spool/splunk , this is the place from where your nexus files are read so you have to give your index details under monitor of this dir/file.

bradp1234 · ‎02-22-2015

I added this in the local/inputs.conf file for the app, restarted splunk, and then processed another nessus file and it went into the correct index.

[batch://$SPLUNK_HOME/var/spool/splunk]
index = security

Thanks for the help.

robert_miller · ‎12-08-2015

If you add this stanza, everything in that spool directory will be sent to your index=security. Did you have to specify the nessus files in order to avoid that?

[batch://$SPLUNK_HOME/var/spool/splunk/*.nessus]
index = security

Splunk Add-on for Nessus: Is it possible to change the default index from main for Nessus data?

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!