Hello
I have a number of devices logging to an index feeding Splunk via Syslog on 514/UDP. Now, I want to route logs coming in over port 514 from two particular IP addresses to a specific index.
I would like anything with IP 192.168.1.1
and 192.168.1.2
to get indexed in an index called "web-gateway" and I do not want this configuration to affect anything else coming through via port 514.
From my understanding, I can do this using inputs.conf. I have read through the documentation for inputs.conf and the only thing in relation to IPs I can see in there is to blacklist or whitelist.
Can somebody advise how I can do this please?
Thanks
Define two new stanzas in your inputs.conf:
[udp://192.168.1.1:514]
index=web-gateway
[udp://192.168.1.2:514]
index=web-gateway
Define two new stanzas in your inputs.conf:
[udp://192.168.1.1:514]
index=web-gateway
[udp://192.168.1.2:514]
index=web-gateway
FWIW, names worked too...
thanks!
That worked great thanks
cool and Thanks for the information
Hi @j666gak
Thanks for the information and clarifying. I edited your post to include the extra details you provided in your last comment.