Splunk Dev

Inputs.conf to choose specific index

loatswil
Path Finder

I am using rsyslog with a forwarder to send syslog to Splunk. All of the syslog hosts are in /log as directories of xxx.xxx.xxx.com. I need anything from xxx.net.xxx.com to go to a "network" index and everything else to go to an "infotech" index.

How do I blacklist xxx.net.xxx.com from going to the "infotech" index? Or is there a better way to do this?

Negating the word "net" with [^net] doesn't work as anything with the letters "n", "e", or "t" are matched (xxx.etn.xxx.com for example).

I have tried whitelisting with .+.\bnet\b.ku.edu but the "catchall" monitor statement " [monitor:///log/.../*] " always overrides it and puts the logs into the infotech index.

Am I going about this wrong? Is there a better way???

Thanks!

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

Have xxx.net.xxx.com send to a different port is the best option. Short of that, define a filter for that host and write it to a different directory. Be sure that you are doing this (with directories):

http://www.georgestarcher.com/splunk-success-with-syslog/

View solution in original post

woodcock
Esteemed Legend

Have xxx.net.xxx.com send to a different port is the best option. Short of that, define a filter for that host and write it to a different directory. Be sure that you are doing this (with directories):

http://www.georgestarcher.com/splunk-success-with-syslog/

loatswil
Path Finder

Thanks! We are pretty much doing everything in that link. The problem comes when the default monitor statement overrides anything specific since they are all in the same /log directory.

I think I have a "template" working with rsyslog to put logs from specific hosts into a different base directory "/netlog".

Appreciate the help!

0 Karma

sbbadri
Motivator
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...