Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do I get Splunk to forward syslogs from a certain host to a different Index using the Web GUI?

sworton
Explorer
‎11-05-2018 01:10 AM

Hi,

How do I get Splunk to forward syslogs from a certain host to a different Index using the Web GUI?

They are all coming in on port UDP 514 from a Windows forwarder. I want all of this in main apart from syslogs from a certain IP which I want to go into a new index.

It seems to keep complaining that port 514 is already in use which it is but I want

all hosts UDP\514 > main index
x.x.x.x UDP/514 > new index

Thanks for any help, I'm new to this!

Cheers,
Steve.

Tags (1)
0 Karma
Reply

mstjohn_splunk
Splunk Employee
Splunk Employee
‎11-06-2018 02:46 PM

hi @sworton

Did either of the answers below solve your problem? If so, please resolve approving one of them. If your problem is still not solved, keep us updated so that someone else can help ya. Thanks!

0 Karma
Reply

Rob2520
Communicator
‎11-05-2018 01:39 PM

https://answers.splunk.com/answers/1026/route-data-to-index-based-on-host.html

https://answers.splunk.com/answers/30585/route-syslog-data-to-specific-index-by-host.html

The above answers should help what you are looking for.

0 Karma
Reply

miwade
Engager
‎11-05-2018 12:38 PM

I don't know of any way to do this from the GUI. You may need to get into the backend to update the app.

1) Find where your current inputs.conf file is located on the server. The best place to look is /opt/splunk/etc/apps/search/local/input.conf for linux.

2)Find the stanza that starts like this:

[tcp://:514]

3) Above that put in a new stanza that looks like this.

[tcp://<put server ip here>:514]
index = <new index name here>

4) Restart splunk from the webui

You may need to add or removed fields to get the desired results. Here is the documentation page.
http://docs.splunk.com/Documentation/Splunk/7.2.0/Admin/Inputsconf#inputs.conf.example

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...