Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Receive cooked data to index securitylogs

nicocin
Path Finder
‎04-01-2016 05:52 AM

We have some Appliances (Open System Webproxy), they can send Splunk cooked data into Splunk.

I want to receive the data to a restricted index (securitylogs).

In a first try I configured the listening port in the Webui, Setting -> Forwarding and receiving -> Configure receiving -> added Port 3514

This was working but it was using the main index. So I've reconfigured it in the app "config_all_indexers":

inputs.conf
[splunktcp://3514]
disabled = 0
index = securitylogs

Then I used the "| delete" function to remove the data from the main index.

Now I dont get any data from the appliances anymore and I've no idea why..

Maybe someone can give me a hint whats the problem of my config?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nicocin
Path Finder
‎04-04-2016 12:03 AM

Thank you for the tips.

I've changed nothing but now I'm receiving events.

Unfortunately they go to the main index..

alt text

How can I change that?

View solution in original post

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution
Solution

nicocin
Path Finder
‎04-04-2016 12:03 AM

Thank you for the tips.

I've changed nothing but now I'm receiving events.

Unfortunately they go to the main index..

alt text

How can I change that?

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

nicocin
Path Finder
‎04-04-2016 04:17 AM

I've found another article that states "The "splunktcp" input is not a data input, but instead an input to listen to Splunk Forwarders."

So I've configured it with props.conf and transforms.conf:

props.conf
[mc_logs]
TRANSFORMS-index=sendtomyindex

transforms.conf
[sendtomyindex]
SOURCE_KEY=_MetaData:Index
DEST_KEY=_MetaData:Index
REGEX=(.*)
FORMAT=securitylogs

Now the data goes to the index "securitylogs".

0 Karma
Reply
Solved! Jump to solution

niemesrw
Path Finder
‎04-02-2016 09:41 AM

It sounds like you have it configured properly. I'd take the following steps to troubleshoot what might be going on:

  1. Run tcpdump on the indexer where you have that input & index configured, do you see traffic making its way to that indexer?
  2. Run netstat -an | grep 3514 on the indexer to ensure the port is open & listening
  3. Examine the securitylogs index to ensure it's growing
  4. Run index=* source="tcp:3514" to see if it's going to a different index (you may want to run it on the search heads & the indexers)
  5. Run index=_internal and search for anything relating to the cooked logs or a host configured to send logs to your indexers
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-01-2016 07:54 AM

Did you configure the securitylogs index in indexes.conf on all of your indexers (and then restart them)?

0 Karma
Reply
Solved! Jump to solution

nicocin
Path Finder
‎04-01-2016 07:59 AM

It is configured in the app config_all_indexers which is deployed to all indexers.

I've restarted splunkd on all indexers.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...