Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Overriding indexes of sources in SC4S
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Apologies if I'm using the wrong terminology here.
I'm trying to configure SC4S to override the destination indexes of types of sources. For example, if an event is received from a Cisco firewall by default it'll end up in the 'netfw' index. Instead, I want all events that would have gone to 'netfw' to go to, for example, 'site1_netfw'.
I attempted to do this using the splunk_metadata.csv file but I now understand I've misinterpreted the documentation. I had used 'netfw,index,site1_netfw' but if I understand correctly, I'd actually need to have a seperate line for each key such as 'cisco_asa,index,site1_netfw'. Is that correct? Is there a way to accomplish what I want without listing each source key?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response.
Maciek Stopa on the Splunk Slack workspace provided this novel code that has worked well. This doesn't handled the metrics and sc4s events but I handled those in splunk_metadata.csv.
# cp example_postfiler.conf /opt/sc4s/local/config/app_parsers/
# systemctl restart sc4s
block parser app-dest-rewrite-index() {
channel {
rewrite {
r_set_splunk_dest_update_v2(
index("${.splunk.index}_unique-suffix")
);
};
};
};
application app-dest-rewrite-index[sc4s-postfilter] {
parser { app-dest-rewrite-index(); };
};
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @MediumToast
If you only specify netfw,index,site1_netfw, it will not apply to all events from sources that are configured to be sent to the netfw index. It will only apply to events with the exact key netfw.
Also, SC4S does not support wildcards in the splunk_metadata.csv file, so each sourcetype must be explicitly defined. If you have multiple Cisco devices (or any other types) that you want to redirect to site1_netfw, you will need to list each one individually.
You could get around this by updating the compliance_meta_by_source.conf and compliance_meta_by_source.csv files, e.g. like this (please test)
compliance_meta_by_source.conf:
filter f_netfw_sources {
program("cisco_asa" type(string)) or
program("cisco_ios" type(string)) or
program("cisco_nexus" type(string)) or
program("juniper_netscreen" type(string))
# Add other relevant network firewall source types here
};
compliance_meta_by_source.csv
f_netfw_sources,.splunk.index,site1_netfw
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response.
Maciek Stopa on the Splunk Slack workspace provided this novel code that has worked well. This doesn't handled the metrics and sc4s events but I handled those in splunk_metadata.csv.
# cp example_postfiler.conf /opt/sc4s/local/config/app_parsers/
# systemctl restart sc4s
block parser app-dest-rewrite-index() {
channel {
rewrite {
r_set_splunk_dest_update_v2(
index("${.splunk.index}_unique-suffix")
);
};
};
};
application app-dest-rewrite-index[sc4s-postfilter] {
parser { app-dest-rewrite-index(); };
};
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
