How to maintain data integrity in Splunk Index? I ...

sunnyb147 · ‎02-05-2019

How to maintain data integrity in Splunk Index? I mean to say is there any white-listing of servers that only specific servers are allowed to forward the data to specific index?

For example: I have two indexes index_test1 and index_test2 and have 4 servers (A,B,C,D) configured to forward the data. I want only servers A and B should send the data to index_test1 and B & C should send the data to index_test2.

Sample stanza:

[monitor:////var/log/test/app/test.log]
index=index_test1
sourcetype = test_Log
source = test_log_f1
disabled = 0

Reason why I am looking for it is, lets say if someone made a typo then the intended data will be pushed to incorrect/wrong index.

vishaltaneja070 · ‎02-05-2019

Hello @sunnyb147

I think something like below will work for you:
props.conf

    [host::A|B]
    TRANSFORMS-datafilter = route_to_correct_index

    [host::C|D]
    TRANSFORMS-datafilter = route_to_correct_index2

Transforms.conf

[route_to_correct_index]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = index_test1

[route_to_correct_index2]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = index_test2

vishaltaneja070 · ‎02-05-2019

Place this setting on HF or Indexer

How to maintain data integrity in Splunk Index? I mean to say is there any white-listing of servers that only specific servers are allowed to forward the data to specific index?

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)

Are you a member of the Splunk Community?

How to maintain data integrity in Splunk Index? I mean to say is there any white-listing of servers that only specific servers are allowed to forward the data to specific index?

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)