Splunk Search

Receive cooked data to index securitylogs

nicocin
Path Finder

We have some Appliances (Open System Webproxy), they can send Splunk cooked data into Splunk.

I want to receive the data to a restricted index (securitylogs).

In a first try I configured the listening port in the Webui, Setting -> Forwarding and receiving -> Configure receiving -> added Port 3514

This was working but it was using the main index. So I've reconfigured it in the app "config_all_indexers":

inputs.conf
[splunktcp://3514]
disabled = 0
index = securitylogs

Then I used the "| delete" function to remove the data from the main index.

Now I dont get any data from the appliances anymore and I've no idea why..

Maybe someone can give me a hint whats the problem of my config?

0 Karma
1 Solution

nicocin
Path Finder

Thank you for the tips.

I've changed nothing but now I'm receiving events.

Unfortunately they go to the main index..

alt text

How can I change that?

View solution in original post

0 Karma

nicocin
Path Finder

Thank you for the tips.

I've changed nothing but now I'm receiving events.

Unfortunately they go to the main index..

alt text

How can I change that?

0 Karma

nicocin
Path Finder

I've found another article that states "The "splunktcp" input is not a data input, but instead an input to listen to Splunk Forwarders."

So I've configured it with props.conf and transforms.conf:

props.conf
[mc_logs]
TRANSFORMS-index=sendtomyindex

transforms.conf
[sendtomyindex]
SOURCE_KEY=_MetaData:Index
DEST_KEY=_MetaData:Index
REGEX=(.*)
FORMAT=securitylogs

Now the data goes to the index "securitylogs".

0 Karma

niemesrw
Path Finder

It sounds like you have it configured properly. I'd take the following steps to troubleshoot what might be going on:

  1. Run tcpdump on the indexer where you have that input & index configured, do you see traffic making its way to that indexer?
  2. Run netstat -an | grep 3514 on the indexer to ensure the port is open & listening
  3. Examine the securitylogs index to ensure it's growing
  4. Run index=* source="tcp:3514" to see if it's going to a different index (you may want to run it on the search heads & the indexers)
  5. Run index=_internal and search for anything relating to the cooked logs or a host configured to send logs to your indexers
0 Karma

woodcock
Esteemed Legend

Did you configure the securitylogs index in indexes.conf on all of your indexers (and then restart them)?

0 Karma

nicocin
Path Finder

It is configured in the app config_all_indexers which is deployed to all indexers.

I've restarted splunkd on all indexers.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...