I have the app working well pulling events from about a dozen sensors. I'm undergoing an effort where I'm moving various data inputs in to separate indexes to facilitate implementing access controls. I've attempted to add the index =directive in my local/inputs.conf, but it still sends all the events to main. Is the get_ips_feed.py script setup to use the index= directive in inputs.conf? Any ideas on how I can get these inputs into a specific index? Here's my sanitized inputs.conf: [script://$SPLUNK_HOME/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py "splunk_user" "splunk_password" 1.2.3.4] sourcetype = cisco_ips_syslog source = SDEE disabled = 0 interval = 1 index = ips Also the ips index is created and working properly. We have data from a different ips vendor successfully logging to that index.
I've got it working now. Apparently the local/inputs.conf scripts only control how the data is logged into local log files in SPUNK_HOME/etc/apps/Splunk_CiscoIPS/var/log/. There is a separate monitor line in default/inputs.conf that watches for new entries in those log files and indexes them. By copying the monitor section from default/inputs.conf into local/inputs.conf and adding a line to specify the index, the data is now flowing to the ips index as expected.
[monitor://$SPLUNK_HOME/etc/apps/Splunk_CiscoIPS/var/log/]
sourcetype = cisco_ips_syslog
disabled = false
_whitelist = ips_sdee.log
index = ips
I've got it working now. Apparently the local/inputs.conf scripts only control how the data is logged into local log files in SPUNK_HOME/etc/apps/Splunk_CiscoIPS/var/log/. There is a separate monitor line in default/inputs.conf that watches for new entries in those log files and indexes them. By copying the monitor section from default/inputs.conf into local/inputs.conf and adding a line to specify the index, the data is now flowing to the ips index as expected.
[monitor://$SPLUNK_HOME/etc/apps/Splunk_CiscoIPS/var/log/]
sourcetype = cisco_ips_syslog
disabled = false
_whitelist = ips_sdee.log
index = ips