Adding more stanzas to the same inputs.conf for th...

jravida · ‎06-30-2014

Hi folks,

I'm trying to utilize the nessus app to monitor two 'incoming' directories for *.nessus scan files dropped there. I want to use a different index for each scan depending on which 'incoming' folder the nessus scan is copied to.

My current inputs.conf looks like this:

[script:///opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus2splunk.py -s /opt/splunk/scans/domainA/incoming -t /opt/splunk/scans/domainA/parsed]
disabled = false
interval = 120

[batch:///opt/splunk/scans/domainA/parsed]
index = domainA
source = domainA
sourcetype = nessus
move_policy = sinkhole
crcSalt =

So it just looks to one folder every two minutes, if it sees the file it runs the python script and drops it into the parsed folder (as far as I am aware) and ingests it.

I want to input domainB scans just the same, but I want them to go to a different index, but same nessus sourcetype.

Is there a way I can easily tell this inputs to treat a second folder different and apply different indexes or is it limited to one?

dwaddle · ‎07-01-2014

Yes, you can solve it this way, with a pair of scripted/batch input for each domain, as long as the paths to each are unique.

However, you might be happier using props.conf and transforms.conf to make the necessary routing rules based on the source in the event.

(transforms)
[index_domainA]
DEST_KEY=MetaData:Index
REGEX = .
FORMAT = domainA

[index_domainB]
DEST_KEY=MetaData:Index
REGEX = .
FORMAT = domainB


(props)
[source::/opt/splunk/scans/*domainA*]
TRANSFORMS-index=domainA

[source::/opt/splunk/scans/*domainB*]
TRANSFORMS-index=domainB

This requires, though, that the names of the scan report files have the domain in the file name it.

Adding more stanzas to the same inputs.conf for the same script, but two destinations

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!