Getting Data In

Segregation of incoming data

sconnors
Engager

In our environment (mid-size enterprise with remote sites) we have our primary indexer on dedicated hardware. All data that is indexed is sent from forwarders distributed throughout the enterprise. On the indexer, I would like to segregate incoming data based on OS and site into separate databases. Something like incoming linux data from LA linux to the LAXLI db, incoming Windows data from Seattle to the SEAWIN db and so on.

Has anyone done this or does anyone know how? Is it possible?

0 Karma

kristian_kolb
Ultra Champion

I guess that by database you mean separate indexes. And yes, this is most certainly doable, and perhaps even desirable.

You'd need to create indexes on your indexer (can be done through the GUI under Manager->Indexes). Then you'll have to configure each forwarder to send data to the correct index in the inputs.conf files on the forwarders, e.g.;

on a windows forwarder in Chicago;

[WinEventLog:Security]
index = CHIWIN
disabled = 0

[WinEventLog:Application]
index = CHIWIN
disabled = 0

and for a Linux forwarder in Anchorage;

[monitor:///var/log/secure]
sourcetype = linux_secure
index = ANCLIN
disabled = false

[monitor:///var/log/myApp/myLog.log]
sourcetype = myType
index = ANCLIN
disabled = false

Please note that you have to create the indexes before you start sending data.

Hope this helps.

Kristian

kristian_kolb
Ultra Champion

If your problem was solved, please mark it as answered. Thanks.

/k

0 Karma

sconnors
Engager

Hi Ayn - Yep. Found that 10 minutes afterr the post. Thanks you all the same!

0 Karma

Ayn
Legend

The summary page in the Search app shows the indexes that the user you're logged in is configured to search by default. This can be set in the manager, commonly through the user's role - Access controls -> Roles -> -> Indexes searched by default

0 Karma

sconnors
Engager

Exactly what I was looking for. It works perfectly.

Thank You!

You wouldn't know how to get this new index viewed by the Search App, you you? I am not an XML guy, so I'm hoping I don't have to write XML code for this.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...