Is there a way to customize indexing per IP range?
For example, I have a device in the 192.168.10.0 range. Logs from this device I want to go to the "index1" index. I have another device in the 192.168.50.0 range, and I want all of its logs to go to the "index2" index instead.
If both devices are running Splunk, I can define the default index. However, unsure how to handle everything else that can't run Splunk (network devices, ESX servers, etc).
Thanks for any input.
I was able to pin down what I was looking for in this thread:
I'm able to route messages to specific indexes depending on which network range they were received from- very handy when there's going to be dozens.
Thanks for everyone's input!
If you want a single TCP Input listener (TCP:514), but to route events to separate indexes based on source IP, you will have to use a transform and a regex.
Does anyone know if Meta:host can be used as a qualifier for a transform?
I presume that your going to have inputs set up for each of these devices. If you have an input set up for a particular device, you can simply specify the index that you'd like the device it reports to inside of inputs.conf.
You probably should review the index.conf.spec file, which you can read here:
You'll also need to set up indexes for these inputs. You can set up the indexes in a few different ways, they are documented here:
To add to this, it may be most expedient to have multiple network inputs for devices that log only to the network (but have configurable ports). It's also possible to route data using props and transforms, but this requires some regex wizardry.