Hi folks,
I'm trying to utilize the nessus app to monitor two 'incoming' directories for *.nessus scan files dropped there. I want to use a different index for each scan depending on which 'incoming' folder the nessus scan is copied to.
My current inputs.conf looks like this:
[script:///opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus2splunk.py -s /opt/splunk/scans/domainA/incoming -t /opt/splunk/scans/domainA/parsed]
disabled = false
interval = 120
[batch:///opt/splunk/scans/domainA/parsed]
index = domainA
source = domainA
sourcetype = nessus
move_policy = sinkhole
crcSalt =
So it just looks to one folder every two minutes, if it sees the file it runs the python script and drops it into the parsed folder (as far as I am aware) and ingests it.
I want to input domainB scans just the same, but I want them to go to a different index, but same nessus sourcetype.
Is there a way I can easily tell this inputs to treat a second folder different and apply different indexes or is it limited to one?
Yes, you can solve it this way, with a pair of scripted/batch input for each domain, as long as the paths to each are unique.
However, you might be happier using props.conf
and transforms.conf
to make the necessary routing rules based on the source
in the event.
(transforms)
[index_domainA]
DEST_KEY=MetaData:Index
REGEX = .
FORMAT = domainA
[index_domainB]
DEST_KEY=MetaData:Index
REGEX = .
FORMAT = domainB
(props)
[source::/opt/splunk/scans/*domainA*]
TRANSFORMS-index=domainA
[source::/opt/splunk/scans/*domainB*]
TRANSFORMS-index=domainB
This requires, though, that the names of the scan report files have the domain in the file name it.