- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Is there a way I can see what data is being indexe...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
In the last year, I became the manager of a Splunk system with 0 documentation. All logs were being thrown into index=main, and the only information I can find is in inputs.conf, which is not very helpful:
[splunktcp://50200]
connection_host = ip
[splunktcp://50201]
connection_host = ip
[splunktcp://50202]
connection_host = ip
[splunktcp://42500]
connection_host = ip
[splunktcp://55555]
connection_host = ip
[splunktcp://50203]
connection_host = ip
disabled = 0
[splunktcp://51225]
connection_host = ip
[splunktcp://51125]
connection_host = ip
[splunktcp://514]
connection_host = ip
disabled = 0
[splunktcp://40100]
connection_host = ip
disabled = 0
[splunktcp://50000]
connection_host = ip
disabled = 0
[splunktcp://40300]
connection_host = ip
disabled = 0
[splunktcp://41000]
connection_host = ip
disabled = 0
[splunktcp://42000]
connection_host = ip
disabled = 0
[splunktcp://50100]
connection_host = ip
disabled = 0
I would like to find what data is coming in on these ports, set them all up to come in on 9997, and send them to their own index, so that I can allow the managers of that data to securely access that data, without being able to access logs that are not theirs (via a local role that only allows one or two indexes). Is there any way I can see what data is coming in on what port, or will I have to manually go through and set each port to it's own index or sourcetype to find out?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Use this search to list all the hosts connected and sending data to your splunk instance
index=_internal source=*metrics.log group=tcpin_connections
| eval sourceHost=if(isnull(hostname), sourceHost,hostname)
| rename connectionType as connectType
| eval connectType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectType=="cooked" or connectType=="cookedSSL","Splunk fwder", connectType=="raw" or connectType=="rawSSL","legacy fwder")
| eval version=if(isnull(version),"pre 4.2",version)
| rename version as Ver
| fields connectType sourceIp sourceHost destPort kb tcp_eps tcp_Kprocessed tcp_KBps splunk_server Ver
| eval Indexer= splunk_server
| eval Hour=relative_time(_time,"@h")
| stats avg(tcp_KBps) sum(tcp_eps) sum(tcp_Kprocessed) sum(kb) by Hour connectType sourceIp sourceHost destPort Indexer Ver
| fieldformat Hour=strftime(Hour,"%x %H")
You can then expand this search by using sourceHost,IP and get actual "log sources"
Hope this helps!
Thanks,
Raghav
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
These seems to be TCP data inputs and since there are no values explicitly defined for index/sourcetype, they are going to default places. Not sure if you can migrate all to use same port (9997), but you can keep the same port configuration, assign index/sourcetype explicitly in the inputs.conf. See this for more info on TCP data inputs
http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/Monitornetworkports#Configure_a_TCP_input
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Use this search to list all the hosts connected and sending data to your splunk instance
index=_internal source=*metrics.log group=tcpin_connections
| eval sourceHost=if(isnull(hostname), sourceHost,hostname)
| rename connectionType as connectType
| eval connectType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectType=="cooked" or connectType=="cookedSSL","Splunk fwder", connectType=="raw" or connectType=="rawSSL","legacy fwder")
| eval version=if(isnull(version),"pre 4.2",version)
| rename version as Ver
| fields connectType sourceIp sourceHost destPort kb tcp_eps tcp_Kprocessed tcp_KBps splunk_server Ver
| eval Indexer= splunk_server
| eval Hour=relative_time(_time,"@h")
| stats avg(tcp_KBps) sum(tcp_eps) sum(tcp_Kprocessed) sum(kb) by Hour connectType sourceIp sourceHost destPort Indexer Ver
| fieldformat Hour=strftime(Hour,"%x %H")
You can then expand this search by using sourceHost,IP and get actual "log sources"
Hope this helps!
Thanks,
Raghav
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! This worked perfectly!
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
