Getting Data In

Custom Index per IP Range

tgiles
Path Finder

Hi, All.

Is there a way to customize indexing per IP range?

For example, I have a device in the 192.168.10.0 range. Logs from this device I want to go to the "index1" index. I have another device in the 192.168.50.0 range, and I want all of its logs to go to the "index2" index instead.

If both devices are running Splunk, I can define the default index. However, unsure how to handle everything else that can't run Splunk (network devices, ESX servers, etc).

Thanks for any input.

Tags (1)
0 Karma

tgiles
Path Finder

I was able to pin down what I was looking for in this thread:

http://answers.splunk.com/questions/1463/how-to-route-to-separate-indexes-based-on-host-when-forward...

I'm able to route messages to specific indexes depending on which network range they were received from- very handy when there's going to be dozens.

Thanks for everyone's input!

Edub
Explorer

If you want a single TCP Input listener (TCP:514), but to route events to separate indexes based on source IP, you will have to use a transform and a regex.

Does anyone know if Meta:host can be used as a qualifier for a transform?

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

I presume that your going to have inputs set up for each of these devices. If you have an input set up for a particular device, you can simply specify the index that you'd like the device it reports to inside of inputs.conf.

[stanza]
index=<indexname>

You probably should review the index.conf.spec file, which you can read here:

http://www.splunk.com/base/Documentation/latest/admin/Inputsconf

You'll also need to set up indexes for these inputs. You can set up the indexes in a few different ways, they are documented here:

http://www.splunk.com/base/Documentation/latest/Admin/Setupmultipleindexes

0 Karma

jrodman
Splunk Employee
Splunk Employee

To add to this, it may be most expedient to have multiple network inputs for devices that log only to the network (but have configurable ports). It's also possible to route data using props and transforms, but this requires some regex wizardry.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...