Getting Data In

How to configure inputs.conf to route logs from 2 IP addresses to a specific index?

Communicator

Hello

I have a number of devices logging to an index feeding Splunk via Syslog on 514/UDP. Now, I want to route logs coming in over port 514 from two particular IP addresses to a specific index.

I would like anything with IP 192.168.1.1 and 192.168.1.2 to get indexed in an index called "web-gateway" and I do not want this configuration to affect anything else coming through via port 514.

From my understanding, I can do this using inputs.conf. I have read through the documentation for inputs.conf and the only thing in relation to IPs I can see in there is to blacklist or whitelist.

Can somebody advise how I can do this please?

Thanks

1 Solution

Influencer

Define two new stanzas in your inputs.conf:

[udp://192.168.1.1:514]
index=web-gateway

[udp://192.168.1.2:514]
index=web-gateway

View solution in original post

Influencer

Define two new stanzas in your inputs.conf:

[udp://192.168.1.1:514]
index=web-gateway

[udp://192.168.1.2:514]
index=web-gateway

View solution in original post

Contributor

FWIW, names worked too...

thanks!

0 Karma

Communicator

That worked great thanks

0 Karma

Motivator

cool and Thanks for the information

0 Karma

Community Manager
Community Manager

Hi @j666gak

Thanks for the information and clarifying. I edited your post to include the extra details you provided in your last comment.

0 Karma