All Apps and Add-ons

Splunk Add-on for Nessus: Is it possible to change the default index from main for Nessus data?

Path Finder

I am successfully seeing Nessus data in Splunk, but all the data is going into the main index. I would like to put the data in a different index. Is this possible? Thanks.

1 Solution

Builder

yes you can change the index name in inputs.conf file under stanza,
index = indexname
if you are using monitor in forwarder then use under monitor file names stanza, or you can put under other stanzas in indexer, means if you are using udp/tcp input then write index=indexname under [tcp] or [udp] or [splunktcp], see more info
http://docs.splunk.com/Documentation/Splunk/6.2.1/admin/inputsconf

let m e know if you have any questions

View solution in original post

Path Finder

tl;dr

put this in local/inputs.conf

[batch://$SPLUNK_HOME/var/spool/splunk]
index = yourindex

0 Karma

Builder

yes you can change the index name in inputs.conf file under stanza,
index = indexname
if you are using monitor in forwarder then use under monitor file names stanza, or you can put under other stanzas in indexer, means if you are using udp/tcp input then write index=indexname under [tcp] or [udp] or [splunktcp], see more info
http://docs.splunk.com/Documentation/Splunk/6.2.1/admin/inputsconf

let m e know if you have any questions

View solution in original post

Path Finder

I tried the approach you are suggesting already in the local/inputs.conf file for the app, but it only changed the index for the scripts output (nessus2splunk) not the actual Nessus data's index. I would like the actual Nessus data to go into a different index. Thanks.

[script://./bin/nessus2splunk.py]
disabled = false
interval = 120
index = security
source = nessus2splunk
sourcetype = nessus2splunk

0 Karma

New Member

This does not seem to work. I have the latest version of splunk and the latest version of Splunk_TA_nessus.
It always goes to the "main" index.

0 Karma

New Member

Yes, I have the same problem that couldn't be resolved, really need to do routeindex in transforms.conf?

0 Karma

Path Finder

Were you able to get this to work using transforms? I added the stanza below to my indexers and it is still not working properly.

[force_index_for_nessus]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = vulnerability

0 Karma

Builder

can you please send me all inputs.conf content of the forwarder ...

0 Karma

Path Finder

Are you familiar with this app? It is not supposed to be installed on a forwarder. I have the Splunk indexer and search head installed on one machine. I think the app is using a batch input, but I am not able to find the stanza in the default/inputs.conf. I don't think you want me to send all the inputs.conf from my indexer.

0 Karma

Builder

$SPLUNK_HOME/var/spool/splunk , this is the place from where your nexus files are read so you have to give your index details under monitor of this dir/file.

Path Finder

I added this in the local/inputs.conf file for the app, restarted splunk, and then processed another nessus file and it went into the correct index.

[batch://$SPLUNK_HOME/var/spool/splunk]
index = security

Thanks for the help.

0 Karma

Path Finder

If you add this stanza, everything in that spool directory will be sent to your index=security. Did you have to specify the nessus files in order to avoid that?

[batch://$SPLUNK_HOME/var/spool/splunk/*.nessus]
index = security

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!