Re: how to route data from syslog servers to speci...

saifuddin9122 · ‎06-07-2017

Hello all

i have 3 syslog servers which are forwarding data on udp 7877

i want to route the data to different index. like
syslog1 --> index1
syslog2 --> index2
syslog3 --> index3

here is my inputs.conf

[udp://7877]
connection_host = dns

can any one help me ??

Thanks in Advance

yannK · ‎06-07-2017

The above answer from Adonio is good to rewrite the index for events at indextime using regexes, but if will have a parsing cost for each events.

Another option, if you can split your inputs is to create one udp port input for each index destination.
And have each syslog server send to a specific port.

example :

[udp://7877]  
connection_host = dns
index=index1 
sourcetype=mysyslogsourcetype


[udp://7878]  
connection_host = dns
index=index2
sourcetype=mysyslogsourcetype

[udp://7879]  
connection_host = dns
index=index3
sourcetype=mysyslogsourcetype

adonio · ‎06-07-2017

if i understood correctly
related answer here:
https://answers.splunk.com/answers/75939/split-syslog-udp-514-from-multi-hosts-to-multi-indexes.html

how to route data from syslog servers to specific index??

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

how to route data from syslog servers to specific index??

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES