- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Segregation of incoming data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Segregation of incoming data
In our environment (mid-size enterprise with remote sites) we have our primary indexer on dedicated hardware. All data that is indexed is sent from forwarders distributed throughout the enterprise. On the indexer, I would like to segregate incoming data based on OS and site into separate databases. Something like incoming linux data from LA linux to the LAXLI db, incoming Windows data from Seattle to the SEAWIN db and so on.
Has anyone done this or does anyone know how? Is it possible?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess that by database you mean separate indexes. And yes, this is most certainly doable, and perhaps even desirable.
You'd need to create indexes on your indexer (can be done through the GUI under Manager->Indexes). Then you'll have to configure each forwarder to send data to the correct index in the inputs.conf files on the forwarders, e.g.;
on a windows forwarder in Chicago;
[WinEventLog:Security]
index = CHIWIN
disabled = 0
[WinEventLog:Application]
index = CHIWIN
disabled = 0
and for a Linux forwarder in Anchorage;
[monitor:///var/log/secure]
sourcetype = linux_secure
index = ANCLIN
disabled = false
[monitor:///var/log/myApp/myLog.log]
sourcetype = myType
index = ANCLIN
disabled = false
Please note that you have to create the indexes before you start sending data.
Hope this helps.
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your problem was solved, please mark it as answered. Thanks.
/k
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ayn - Yep. Found that 10 minutes afterr the post. Thanks you all the same!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The summary page in the Search app shows the indexes that the user you're logged in is configured to search by default. This can be set in the manager, commonly through the user's role - Access controls -> Roles ->
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Exactly what I was looking for. It works perfectly.
Thank You!
You wouldn't know how to get this new index viewed by the Search App, you you? I am not an XML guy, so I'm hoping I don't have to write XML code for this.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
