Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- sc4s index re-route
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sc4s index re-route
Hi Folks,
New to Splunk and SC4S deploymenet. So far I have been able to make good progress. I have setup 2 SC4S servers one on linux and the other on windows with WSL. The challenge that I am facing is that all the syslogs are doing to the default indices. For example I see that the FW logs are going to netfw.
I am trying to move them to a new index that I have created- index_new.
I have tried editing the splunk_metadata.csv file but I still see the logs going to netfw. i have tried different configurations but nothing worked.
fortinet_fortigate,index, index_new
or
ftnt_fortigate, index,index_new
or
netfw,index,index_new
In the HEC configuration, I have not selected any index and left it blank. The default index is set to index_new
Thank you in advance.
PS: I have also tried the Maciek Stopa's posfilter.conf script as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
x
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
To re-route logs to a different index in SC4S, you must correctly map the source type to your target index in the splunk_metadata.csv file. The format is:
key,index,value
Regarding the key names, you can see these at https://splunk.github.io/splunk-connect-for-syslog/1.91.5/sources/Fortinet/ which are:
key sourcetype default index
| key | default index |
| fortinet_fortios_traffic | netfw |
| fortinet_fortios_utm | netfw |
| fortinet_fortios_event | netops |
| fortinet_fortios_log | netops |
See below for more detail on the splunk_metadata.csv format:
The columns in this file are key, metadata, and value. To make a change using the override file, consult the example file (or the source documentation) for the proper key and modify and add rows in the table, specifying one or more of the following metadata/value pairs for a given key:
key which refers to the vendor and product name of the data source, using the vendor_product convention. For overrides, these keys are listed in the example file. For new custom sources, be sure to choose a key that accurately reflects the vendor and product being configured and that matches the log path.
index to specify an alternate value for index.Check the docs for more info on the format
After editing splunk_metadata.csv, you must restart the SC4S container or service for changes to take effect.
🌟Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @livehybrid,
i edited the splunk_metadata.csv and removed the existing entires and added the below key,index,value and restarted the SC4S :
fortinet_fortios_traffic, index, index_new
fortinet_fortios_utm, index, index_new
That did not work either.
Am i still missing something here ? Also is there a way to change all (netfw,netops,oswin,osnix and so on) the default index to a new single index ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please can you confirm where the splunk_metadata.csv is that you updated?
Im not sure its possible to overwrite the defaults - other than by using the splunk_metadata.csv file.
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@livehybrid , it is in /opt/sc4s/local/context folder.
Thanks
Aligning Observability Costs with Business Value: Practical Strategies
Mastering Data Pipelines: Unlocking Value with Splunk
Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0
