Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I get logs from network gear to a specific index?

jmads
Explorer
‎11-16-2018 07:33 AM

I use Splunk on Windows. I have several heavy forwarders that forward Windows event logs to my indexer cluster into indexes named for the subnet where the Windows boxes reside. One such subnet has both Windows boxes and network gear. The Windows boxes send logs on port 9997 while the network gear sends on port 514 to the Heavy Forwarder. The logs from the Windows boxes show up in the appropriate index on the indexer cluster, but the network gear shows up in the Main index.

How can I get the logs from the network gear to show up in the Network index from that heavy Forwarder? I believe that the solution lies in creations/modifications to the transforms.conf and props.conf files in splunkhome\etc\system\local folder. I appreciate any help. Thanks!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-16-2018 09:10 AM

If your HF is receiving the syslog data directly, look for an inputs.conf setting for udp:514 and add an index=mynetworkindex to it... ideally by running splunk btool --debug inputs list udp

If your HF's machine has a syslog daemon running that receives the data (better practice!), look for a monitor stanza in your HF's inputs.conf that reads the logs from the syslog daemon off disk, and set the network index in there.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-16-2018 09:10 AM

If your HF is receiving the syslog data directly, look for an inputs.conf setting for udp:514 and add an index=mynetworkindex to it... ideally by running splunk btool --debug inputs list udp

If your HF's machine has a syslog daemon running that receives the data (better practice!), look for a monitor stanza in your HF's inputs.conf that reads the logs from the syslog daemon off disk, and set the network index in there.

0 Karma
Reply
Solved! Jump to solution

jmads
Explorer
‎11-16-2018 10:25 AM

Thanks, Martin! I have to unexpectedly leave work early today, but will give this a shot first thing Monday morning!

0 Karma
Reply
Solved! Jump to solution

jmads
Explorer
‎11-20-2018 03:52 AM

Martin, this worked like a champ! Thanks for the help!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...