Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Filter Origin from LEA_OPSEC Input

simuvid
Splunk Employee
Splunk Employee
‎07-01-2010 11:08 AM

Hi all,

I have posted a similar question before, but I think I was not specific enough.

What I mean is, when getting events as a data input from Checkpoint Devices, include by using LEA_OPSEC, all of these events are listed and shown as one host and source. In the events listing I see multiple different origins of the events, so my question is:

Is there a possibility to filter these different origins, before indexing them, to display them by as source or host related to their origin?

Hope that is a bit clearer 🙂

Cheers,

Christian

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mmletzko
Path Finder
‎08-13-2010 08:18 PM

Christian,

You can add a "host = " line in your /opt/splunk/etc/system/local/inputs.conf file. It would look something like this:

[script:/opt/splunk/etc/apps/lea-loggrabber-xxx_xxx/bin/lea-loggrabber.sh]
host = xxx_xxx
interval = 60
sourcetype = opsec
disabled = false

After making the change, stop/start splunk and you should see the host now showing up instead of the name of the box this is configured on.

-Matt

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mmletzko
Path Finder
‎08-13-2010 08:18 PM

Christian,

You can add a "host = " line in your /opt/splunk/etc/system/local/inputs.conf file. It would look something like this:

[script:/opt/splunk/etc/apps/lea-loggrabber-xxx_xxx/bin/lea-loggrabber.sh]
host = xxx_xxx
interval = 60
sourcetype = opsec
disabled = false

After making the change, stop/start splunk and you should see the host now showing up instead of the name of the box this is configured on.

-Matt

0 Karma
Reply
Solved! Jump to solution

simuvid
Splunk Employee
Splunk Employee
‎08-14-2010 07:30 AM

Thanks for your reply!

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...