- Splunk Answers
- :
- Using Splunk
- :
- Splunk Dev
- :
- Inputs.conf to choose specific index
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using rsyslog with a forwarder to send syslog to Splunk. All of the syslog hosts are in /log as directories of xxx.xxx.xxx.com. I need anything from xxx.net.xxx.com to go to a "network" index and everything else to go to an "infotech" index.
How do I blacklist xxx.net.xxx.com from going to the "infotech" index? Or is there a better way to do this?
Negating the word "net" with [^net] doesn't work as anything with the letters "n", "e", or "t" are matched (xxx.etn.xxx.com for example).
I have tried whitelisting with .+.\bnet\b.ku.edu but the "catchall" monitor statement " [monitor:///log/.../*] " always overrides it and puts the logs into the infotech index.
Am I going about this wrong? Is there a better way???
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have xxx.net.xxx.com send to a different port is the best option. Short of that, define a filter for that host and write it to a different directory. Be sure that you are doing this (with directories):
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have xxx.net.xxx.com send to a different port is the best option. Short of that, define a filter for that host and write it to a different directory. Be sure that you are doing this (with directories):
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! We are pretty much doing everything in that link. The problem comes when the default monitor statement overrides anything specific since they are all in the same /log directory.
I think I have a "template" working with rsyslog to put logs from specific hosts into a different base directory "/netlog".
Appreciate the help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check the below link,
http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Forwarding/Routeandfilterdatad
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
Splunk APM: New Product Features + Community Office Hours Recap!
Index This | Forward, I’m heavy; backward, I’m not. What am I?
