×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
francois
Explorer
Member since: ‎11-25-2021
‎05-23-2022
Community Statistics
Posts 4
Solutions 0
Karma Given 3
Karma Received 0
Member Since ‎11-25-2021
Activity Feed
Topics I've Started
View All

Re: Index redirection

by in Getting Data In
‎01-18-2022 04:30 AM
‎01-18-2022 04:30 AM
Thanks for your help 🙂 We ended up using the stanza "default" in the props.conf and sending it to various transforms.conf group so that it can match multiple regex. ... View more

Re: Index redirection

by in Getting Data In
‎01-14-2022 05:44 AM
‎01-14-2022 05:44 AM
@gcusello  Sorry I don't understand your answer. Syslog-connect ( https://splunkbase.splunk.com/app/4740/#/details ) is, per my understanding, not an app but an appliance (containerized syslog-ng with pre-defined filters) that allows for syslog traffic to be properly categorized into sourcetype, host, index, etc. and then sent to an HEC. Therefore : 1. How can I install this on a search head / Indexer ? 2. How can I pass seaches as inputs ?   ... View more

Re: Index redirection

by in Getting Data In
‎01-14-2022 04:39 AM
‎01-14-2022 04:39 AM
Hi @gcusello, Thank you for your response, Once the event has been processed by the SC4S (Splunk-connect-for-syslog), it is sent as HTTP so I don't think I'll have a problem with volume. From the documentation, a single SC4S instance with proper hardware requirements can handle up to 6TB/day. The events will be replicated on my heavy forwarder, I did try the method described on https://docs.splunk.com/Documentation/Splunk/8.2.4/Forwarding/Routeandfilterdatad#Replicate_a_subset_of_data_to_a_third-party_system but using this method, I'd have to create an entry in my props.conf for each source / host /sourcetype. This would mean a lot of repetitive / unnecessary work to maintain.  It would be much simpler to be able to replicate an entire index to a third party system. Do you know if it is possible ?  Best regards,  François. ... View more

Index redirection

by in Getting Data In
‎01-14-2022 03:13 AM
‎01-14-2022 03:13 AM
Hi, We are setting up a Splunk infrastructure where we would like to redirect event coming in particular indexes to an external SOC. For example, logs from multiple firewall technologies would be put into the index "clientX_firewall" by an SC4S and this whole index would have to be forwarded to both my indexing tier and the external SOC, whatever the sourcetype / host / source. Is there a way to properly redirect this whole index ? Without having to specify the source / host / sourcetype involved for each type involved ?  Thanks for your help. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎05-23-2022 03:50 AM
Karma given to
View All