Re: How to group different ip in the input.conf an...

kitkit321 · ‎10-20-2020

Hi All,

here is the question.

I have some logs form 4 ips and received them at udp 514, for example is 1.1.1.1, 2.2.2.2, 3.3.3.3 and 4.4.4.4

1.1.1.1 and 2.2.2.2 are same sourcetype

3.3.3.3 and 4.4.4.4 are same sourcetype.

For now, my approach is

input.conf

[udp://1.1.1.1:514]
index = test
sourcetype = pan:firewall

[udp://2.2.2.2:514]
index = test
sourcetype = pan:firewall

[udp://3.3.3.3:514]
index = test
sourcetype = cp_log

[udp://4.4.4.4:514]
index = test
sourcetype = cp_log

prof.conf

[host::1.1.1.1]
TRANSFORMS-throw_dns = throwdns

[host::2.2.2.2]
TRANSFORMS-throw_dns = throwdns

[host::3.3.3.3]
TRANSFORMS-throw_ntp = throwntp

[host::4.4.4.4]
TRANSFORMS-throw_ntp = throwntp

As you can see it in the input.conf and props.conf

1.1.1.1 and 2.2.2.2 share the same configuration.

3.3.3.3 and 4.4.4.4 share the same configuration.

Is there any method to group them up ?

rsethre · ‎10-20-2020

Hi

You could configure Splunk to listen on another port, under Data Inputs, UDP, for example port 10514,

and make host 3.3.3.3 and 4.4.4.4 to send syslog to port 10514.

[udp://3.3.3.3:10514]
index = test
sourcetype = cp_log

kitkit321 · ‎10-20-2020

is that possible listen in the same port?

How to group different ip in the input.conf and props.conf