We have some Appliances (Open System Webproxy), they can send Splunk cooked data into Splunk.
I want to receive the data to a restricted index (securitylogs).
In a first try I configured the listening port in the Webui, Setting -> Forwarding and receiving -> Configure receiving -> added Port 3514
This was working but it was using the main index. So I've reconfigured it in the app "config_all_indexers":
inputs.conf
[splunktcp://3514]
disabled = 0
index = securitylogs
Then I used the "| delete" function to remove the data from the main index.
Now I dont get any data from the appliances anymore and I've no idea why..
Maybe someone can give me a hint whats the problem of my config?
Thank you for the tips.
I've changed nothing but now I'm receiving events.
Unfortunately they go to the main index..
How can I change that?
I've found another article that states "The "splunktcp" input is not a data input, but instead an input to listen to Splunk Forwarders."
So I've configured it with props.conf and transforms.conf:
props.conf
[mc_logs]
TRANSFORMS-index=sendtomyindex
transforms.conf
[sendtomyindex]
SOURCE_KEY=_MetaData:Index
DEST_KEY=_MetaData:Index
REGEX=(.*)
FORMAT=securitylogs
Now the data goes to the index "securitylogs".
It sounds like you have it configured properly. I'd take the following steps to troubleshoot what might be going on:
Did you configure the securitylogs
index in indexes.conf
on all of your indexers (and then restart them)?
It is configured in the app config_all_indexers which is deployed to all indexers.
I've restarted splunkd on all indexers.