Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Using an IP range in Inputs.conf

bongski
Engager
‎10-24-2012 02:11 PM

Hey,

I was hoping someone can clarify if an IP range to subnet can be used in Inputs.conf.

For example all hosts on

192.168.1.0/24 (192.168.1.0-192.168.1.254) go to index A.

192.168.2.0/24 (192.168.2.0-192.168.2.254) goes to index B.

I have read though the documentation but I can't seem to find anything. Also if it is possible what is the correct syntax for the file?

[tcp://192.168.1.0/24:5000]

[tcp://192.168.1.0-192.168.1.254:5000]

If I have missed something in the documentation I apologise.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎10-24-2012 05:03 PM

I do not believe this possible. However, you can redirect inputs to different indexes, just not with inputs.conf. Here is how:

inputs.conf 

[tcp://:5000]
connection_host = ip
sourcetype = mixedinputs
index=defaultIndex

props.conf 

[mixedinputs]
TRANSFORM=separate_inputs1, separate_inputs2

transforms.conf 

[separate_inputs1]
SOURCE_KEY=MetaData:Host
REGEX=host::192\.168\.1\.1
DEST_KEY=_MetaData:Index
FORMAT=A

[separate_inputs2]
SOURCE_KEY=MetaData:Host
REGEX=host::10\.1\.\d+\.\d+
DEST_KEY=_MetaData:Index
FORMAT=B

First, this assigns all inbound events from port 5000 to defaultIndex (whatever you want to call it). Then, as the data is processed, each event is examined. If the host field (ip) of an event matches the regular expression (REGEX), the event is reassigned to the index named in FORMAT.

Note that you can write the REGEX to "wildcard" the octets, but I don't now how to use CIDR notation with regular expressions.

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎10-24-2012 05:03 PM

I do not believe this possible. However, you can redirect inputs to different indexes, just not with inputs.conf. Here is how:

inputs.conf 

[tcp://:5000]
connection_host = ip
sourcetype = mixedinputs
index=defaultIndex

props.conf 

[mixedinputs]
TRANSFORM=separate_inputs1, separate_inputs2

transforms.conf 

[separate_inputs1]
SOURCE_KEY=MetaData:Host
REGEX=host::192\.168\.1\.1
DEST_KEY=_MetaData:Index
FORMAT=A

[separate_inputs2]
SOURCE_KEY=MetaData:Host
REGEX=host::10\.1\.\d+\.\d+
DEST_KEY=_MetaData:Index
FORMAT=B

First, this assigns all inbound events from port 5000 to defaultIndex (whatever you want to call it). Then, as the data is processed, each event is examined. If the host field (ip) of an event matches the regular expression (REGEX), the event is reassigned to the index named in FORMAT.

Note that you can write the REGEX to "wildcard" the octets, but I don't now how to use CIDR notation with regular expressions.

Reply
Solved! Jump to solution

lguinn2
Legend
‎10-28-2012 11:28 PM

Yeah, the event-by-event processing will always cost more resources than the "index the whole input stream from this port" method. There is always a trade-off 😉

0 Karma
Reply
Solved! Jump to solution

bongski
Engager
‎10-28-2012 09:58 PM

This worked great, the solution is a bit CPU intensive but worked exactly how I needed it to.

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎10-25-2012 05:33 AM

why not just use the index stanza in inputs.conf on the forwarder, should work as well.

0 Karma
Reply
Solved! Jump to solution

bongski
Engager
‎10-25-2012 05:06 AM

Thanks for the tip, I will impletment it that way and let you know how I go.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...