Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

split syslog data from multiple ip addresses into separate indexes

plj3736
New Member
‎04-21-2014 01:28 PM

I have multiple linux hosts sending syslog data (port 514) and want to split the data into different indexes based on ip address. I know I can set this up with each sending to a different port, but expect to have more hosts in future so sending to different ports based on ip address could become confusing.

I created a props.conf with

[192.168.17.3]
sourcetype=abc

[192.168.17.4]
sourcetype=mail

but how do I tell splunk to send data from 192.168.17.3 to index abc?

Tags (1)
0 Karma
Reply

plj3736
New Member
‎04-24-2014 10:41 AM

I've tried the suggestion from the first answer. transforms.conf seems to have an issues with the assign statement. Indication is this is not a valid statement. I'm somewhat new to working with props and transforms and really novice with REGEX, therefore found the 2nd answer confusing. I had looked at it before I posted the original question.

I someone can help with why the assign statement doesn't work as noted above, would greatly appreciate.

TIA

0 Karma
Reply

grijhwani
Motivator
‎04-24-2014 05:55 PM

If you are commenting on answers you should place your comments against the appropriate answer to facilitate an easier discussion. The "assign" remarks in the first answer are purely conversational, not part of the config text.

0 Karma
Reply

grijhwani
Motivator
‎04-21-2014 05:09 PM

You query appears to be addressed in the answer to be found at http://answers.splunk.com/answers/60972/split-syslog-input-into-multiple-indexes with another variant to be found at http://answers.splunk.com/answers/75939/split-syslog-udp514-from-multi-hosts-to-multi-indexes

However, if you are running on Linux or similar (you don't specify), I would strongly recommend installing running syslog-ng (open-source edition should be good enough) as your syslog server, and configuring THAT to be your point of separation and configure your sources accordingly. The native Splunk syslog service is very limited.

0 Karma
Reply

kheli
Path Finder
‎04-21-2014 02:42 PM

Here are the steps to achieve it,

  1. Create props.conf to override sourcettype and index. Sourcetype can not be specified under host stanza as you put above in props.conf.

Assume you are using automatic sourcetyping of the the syslog

props.conf

[host::192.168.17.3]
TRANSFORMS-0force_index_sourcetype = 0force_index, 0force_sourcetype

[host::192.168.17.4]
TRANSFORMS=1force_index_sourcetype = 1force_index, 1force_sourcetype

transforms.conf

assign abc index

[0force_index]
SOURCE_KEY=MetaData:Host
REGEX=^192.168.17.3$
DEST_KEY=_MetaData:Index
FORMAT=abc

assign abc sourcetype

[1force_sourcetype]
SOURCE_KEY=MetaData:Host
REGEX=^192.168.17.3$
DEST_KEY=MetaData:Sourcetype
FORMAT=abc

I have not tested this.

0 Karma
Reply

grijhwani
Motivator
‎04-24-2014 05:57 PM

Edited the above to make the configuration detail stand out from the conversational text.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...