Solved: Re: How to configure inputs.conf to route logs fro...

j666gak · ‎03-25-2015

Hello

I have a number of devices logging to an index feeding Splunk via Syslog on 514/UDP. Now, I want to route logs coming in over port 514 from two particular IP addresses to a specific index.

I would like anything with IP 192.168.1.1 and 192.168.1.2 to get indexed in an index called "web-gateway" and I do not want this configuration to affect anything else coming through via port 514.

From my understanding, I can do this using inputs.conf. I have read through the documentation for inputs.conf and the only thing in relation to IPs I can see in there is to blacklist or whitelist.

Can somebody advise how I can do this please?

Thanks

masonmorales · ‎03-25-2015

Define two new stanzas in your inputs.conf:

[udp://192.168.1.1:514]
index=web-gateway

[udp://192.168.1.2:514]
index=web-gateway

View solution in original post

masonmorales · ‎03-25-2015

Define two new stanzas in your inputs.conf:

[udp://192.168.1.1:514]
index=web-gateway

[udp://192.168.1.2:514]
index=web-gateway

Michael · ‎12-14-2016

FWIW, names worked too...

thanks!

j666gak · ‎04-02-2015

That worked great thanks

fdi01 · ‎04-08-2015

cool and Thanks for the information

ppablo · ‎03-25-2015

Hi @j666gak

Thanks for the information and clarifying. I edited your post to include the extra details you provided in your last comment.

How to configure inputs.conf to route logs from 2 IP addresses to a specific index?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

How to configure inputs.conf to route logs from 2 IP addresses to a specific index?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases