Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I get logs from network gear to a specific index?

jmads
Explorer
‎11-16-2018 07:33 AM

I use Splunk on Windows. I have several heavy forwarders that forward Windows event logs to my indexer cluster into indexes named for the subnet where the Windows boxes reside. One such subnet has both Windows boxes and network gear. The Windows boxes send logs on port 9997 while the network gear sends on port 514 to the Heavy Forwarder. The logs from the Windows boxes show up in the appropriate index on the indexer cluster, but the network gear shows up in the Main index.

How can I get the logs from the network gear to show up in the Network index from that heavy Forwarder? I believe that the solution lies in creations/modifications to the transforms.conf and props.conf files in splunkhome\etc\system\local folder. I appreciate any help. Thanks!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-16-2018 09:10 AM

If your HF is receiving the syslog data directly, look for an inputs.conf setting for udp:514 and add an index=mynetworkindex to it... ideally by running splunk btool --debug inputs list udp

If your HF's machine has a syslog daemon running that receives the data (better practice!), look for a monitor stanza in your HF's inputs.conf that reads the logs from the syslog daemon off disk, and set the network index in there.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-16-2018 09:10 AM

If your HF is receiving the syslog data directly, look for an inputs.conf setting for udp:514 and add an index=mynetworkindex to it... ideally by running splunk btool --debug inputs list udp

If your HF's machine has a syslog daemon running that receives the data (better practice!), look for a monitor stanza in your HF's inputs.conf that reads the logs from the syslog daemon off disk, and set the network index in there.

0 Karma
Reply
Solved! Jump to solution

jmads
Explorer
‎11-16-2018 10:25 AM

Thanks, Martin! I have to unexpectedly leave work early today, but will give this a shot first thing Monday morning!

0 Karma
Reply
Solved! Jump to solution

jmads
Explorer
‎11-20-2018 03:52 AM

Martin, this worked like a champ! Thanks for the help!

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...