Getting Data In

Send events from TA to different indexes depending on hostname

torowa
Path Finder

Hi Splunkers.

What approach are people using to send events from a TA to different indexes depending on what the hostname?

For example:

We have the Splunk_TA_nix addon deployed out to our Linux machines.
We want the same source events pulled in for all of our Linux machines but need the events going to different indexes depending on the host name. For reasons of access/security we need the hosts sending to an index specific that hosts environment

i.e. for a given source:
- host1a, host1b and host1c sends events to "normal_index"
- host2a, host2b and host2c sends events to "secure_index"

Our goal here is to avoid having to maintain multiple Linux TAs, with the only difference being the "index = " line in the inputs.conf.
I realise this could be done by copying the TA to a different directory name and updating the index.conf in one of them to use a different index name but code inside the TA seems to expect the TA to sit in a directory of "TA_Splunk_nix" and would break if running inside a differently-named directory.

I don't want to manually change the directory name in the code as this makes upgrading the TA a nightmare.

I've seen something similar to this done using whitelists to detect a hostname in the directory of "monitor" stanzas but this doesn't look to be available for "script" stanzas.

What I am asking:
What method are people using to send events from a TA to different indexes depending on the hostname?

To clarify: I am not wanting to send an event to multiple indexes from the same host.
Thanks.

0 Karma

astackpole
Path Finder

Were you able to get this problem resolved?

I am facing the same issue in my environment now and any guidance you may have would be appreciated!

0 Karma

whrg
Motivator

I suggest you check out the documentation on "Filter event data and send to queues":

https://docs.splunk.com/Documentation/Splunk/7.3.0/Forwarding/Routeandfilterdatad#Filter_event_data_...

Set your inputs.conf on all your Linux machines to "index = normal_index".

Now configure routing on your heavy forwarder (or on your indexer if you don't have a heavy forwarder) as follows. props.conf:

[host::host2a]
TRANSFORMS-index = set_secure_index
[host::host2b]
TRANSFORMS-index = set_secure_index
...

And transforms.com:

[set_secure_index]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = secure_index
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...