Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to define an index per Source for a shared UDP...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to figure out how to have data from a particular host (i.e. Source) sent to a specific index. To get more specific for my example, I am trying to send Syslog data in on UDP 514. I would like to make it such that multiple devices can all send data to my Indexer on UDP 514, but send data to different indexes based on which host it comes from. I am using only the syslog functionality within the hosts I'm sending data from, not a forwarder installed on those hosts.
With a shared input and no control on the sending end, how do I configure things on my indexer to move data from specific hosts into a separate index? I know I can define individual inputs and define a destination index per input, but that seems like a terrible waste to use a separate port for each input (i.e. this batch of servers comes in on UDP 514 and data goes to index A, this other batch uses UDP 515 and goes to index B, and so on) not to mention the many different firewall ports I might have to open up.
Is it possible to define multiple inputs for the same port and differentiate them between their sending host? That would allow me to use the same port but move data to separate indexes. For instance, say I configure two inputs for UDP 514. One specifies a particular set of hosts and an index for their data while the other one does not specify a host (meaning any other data coming in on UDP 514 goes to that index).
Thanks for the help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
While it's technically possible to do what you are asking, it is not easy, and is actually not best practice for a variety of reasons. Take a look at this article: http://www.georgestarcher.com/splunk-success-with-syslog/
If you really insist on keeping network inputs for all of your syslog feeds, and you don't want separate ports for each input's destination sourcetype/index, you will have to configure per-event routing using a lot of regex to separate the data into separate sourcetypes/indexes. Take a look at: http://docs.splunk.com/Documentation/Splunk/6.3.1/Forwarding/Routeandfilterdatad
I would strongly advise against the latter though. Save yourself a lot of headache and put a syslog server in the middle instead.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
While it's technically possible to do what you are asking, it is not easy, and is actually not best practice for a variety of reasons. Take a look at this article: http://www.georgestarcher.com/splunk-success-with-syslog/
If you really insist on keeping network inputs for all of your syslog feeds, and you don't want separate ports for each input's destination sourcetype/index, you will have to configure per-event routing using a lot of regex to separate the data into separate sourcetypes/indexes. Take a look at: http://docs.splunk.com/Documentation/Splunk/6.3.1/Forwarding/Routeandfilterdatad
I would strongly advise against the latter though. Save yourself a lot of headache and put a syslog server in the middle instead.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, that's extremely helpful. That article was spot-on what I needed.
I do have to say I'm completely mystified that doing what I'm asking is so incredibly difficult to configure on the Indexer. It really seems like this was an intentional decision to leave this feature out. Obviously Splunk is able to examine what network port data comes in on and make a decision purely based on that as to which index data goes into. Furthermore it can include or exclude data based on what host the data is sourced from on that port. Yet for some reason while it can differentiate between multiple hosts on a single port for data inclusion/exclusion it is unable to perform the same differentiation in terms of what the destination index should be! Ridiculous! Even worse, you're saying it can be done based on regex inspection of the content of the data, yet as I've previously illustrated you can do what I'm asking without looking at any of the contents of the incoming data at all!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
