I have a Splunk server which is Indexer and SearchHead. All of the logs are splited to different file by rsyslog in front process.
So i have all log in File format by host like :
All input to Splunk is indexed by monitor file method for one or several file (broadcast /var/rsyslog/*)
I installed three apps:
- splunk_app_for_nix( included SA-nix, Splunk_TA_nix) dedicated for Linux, Unix systeme event dashbord.
- cisco_ios (included TA-cisco_ios) dedicated for Cisco Switch event dashbord
- Splunk_CiscoSecuritySuite (included Splunk_TA_cisco-asa) dedicated for ASA event dashbord
My three input are :
For splunk_app_for_nix --> splunk_app_for_nix/local/inputs.conf
disabled = false
host_segment = 4
index = index_nix
sourcetype = syslog
For cisco_ios ---> cisco_ios/local/inputs.conf
disabled = false
host = cisco_swith_HostName
index = net_cisco
sourcetype = syslog
Splunk_CiscoSecuritySuite ---> Splunk_TA_cisco-asa/local/inputs.conf
disabled = false
host = cisco_asa_Hostname
index = net_asa
sourcetype = syslog
My Dashboard of cisco_ios and CiscoSecuritySuite are ok. All events are displayed correctly except the systeme nix .
All log in index "index_nix" arent extracted correctly in according to nix extract.
My question is how SPLUNK know the different "syslog" to use to adapt it to each kind of log : linux syslog, cisco ios syslog or cisco asa syslog ?
Any help is appreciated. Thanks by advance.
Thanks for your answer.
I wanted to add data to different index for each kind of equipment : index_nix, index_cisco, index_asa to allow the diffrent role permission.
I know that *nix need to create other index like "os", "unix_summary" ....
My question is how SPLUNK can know the different kind sourcetype of the same name "syslog" dedicated and configured in different APPs or TA ("syslog" of cisco ios or "syslog" of splunk_app_for_nix ? ). In this case, which file props.conf or transforms.conf that SPLUNK uses (the cisco one or the nix one ) ?
Thanks for any help
Hi pvuong,
Splunk just uses the sourcetype, source or host to extract the fields, if you have syslog than it will try to extract fields. It's not recommended to have multiple different styles of data with the same sourcetype. A normal way is to give names for your sourcetypes, for example for Cisco ASA, use sourcetype=cisco:asa, for Cisco router use sourcetype=cisco:router and so on.
Your props.conf and transforms.conf will be related to a sourcetype (most common usage).
Ok Thanks for your answer. For Cisco asa and Cisoc ios, i have indeed used cisco:asa, cisco:ios for my cisco log sourcetype
So it not recommanded to have multiple different styles of data with the same sourcetype. Why the Apps or TA didn't configured with the default/props.conf to different kind of log like
instead of the same name "syslog" which can quite lead to confusion ...
Thanks for your answer.
It's very common that Splunk uses the props.conf and transforms.conf files for configuration on how to extract fields. Does the *nix app requires you to add data to the index_nix or another index? In the README file of the app you can find more information.