Getting Data In

Setting the index in props.conf

las
Contributor

I have a configuration with a log root with several log files, most of these are harmless, but one file contains confidential information.

logroot\loga.log
logroot\logb.log  
logroot\secure.log  

my inputs.conf monitors logroot.

I then use props.conf to set the sourcetype, but I would like to be able to route the secure.log to a different index.

Do I have to use a transform, and use ressources on my indexer, or could I specify this in either props og inputs.conf and do the selection on the universalForwarder?

1 Solution

yannK
Splunk Employee
Splunk Employee

An easier alternative is to define a special inputs on your specific file that will setup the destination index.
A stanza that has an exact path will have precedence over one with a wilcard.

[monitor://logroot\*.log]
sourcetype=mygenericsourcetype
index=mygenericindex

[monitor://logroot\secure.log]
sourcetype=myspecificsourcetype
index=myspecificindex

View solution in original post

las
Contributor

The files in the directory has different sourcetypes, so I need to set it on a per file basis.

0 Karma

yannK
Splunk Employee
Splunk Employee

An easier alternative is to define a special inputs on your specific file that will setup the destination index.
A stanza that has an exact path will have precedence over one with a wilcard.

[monitor://logroot\*.log]
sourcetype=mygenericsourcetype
index=mygenericindex

[monitor://logroot\secure.log]
sourcetype=myspecificsourcetype
index=myspecificindex

triest
Communicator

Just FYI the generic with a blacklist and then a more specific monitor does not work in Splunk 6. Support has said it was never officially supported but the rules were a bit lose and have been tightened in 6.

0 Karma

las
Contributor

Thanks, I will play around with this solution.

0 Karma

bmacias84
Champion

I would add a blacklist your generic monitor.


[monitor://logroot\*.log]
sourcetype=mygenericsourcetype
blacklist = secure.log$
index=mygenericindex
\
[monitor://logroot\secure.log]
sourcetype=myspecificsourcetype
index=myspecificindex

0 Karma

yannK
Splunk Employee
Splunk Employee

2 remarks :

0 Karma

las
Contributor

Yes, that is why, I wondered if it was possible to do it earlier in the process, as it is not a per event filtering, but a per file.

0 Karma

Ayn
Legend

Why are you using props.conf to set sourcetype? The easiest is to do this directly in inputs.conf. Same goes for index.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...