Re: Pushing certain syslog messages to an Index

dcroteau · ‎12-09-2010

Trying to separate leostream "broker" events that come from syslog into it's own separate index called leostream. Why is this not working? They go into the main index. I've tried the regex with and without the parentheses.

<timestamp whatever> Broker: 111.111.111.111 bla bla bla bla

Any help would be great!

indexes.conf

[leostream]
coldPath = $SPLUNK_DB/leostream/colddb
homePath = $SPLUNK_DB/leostream/db
thawedPath = $SPLUNK_DB/leostream/thaweddb

Props.conf

[syslog]
TRANSFORMS-leostream_data = LEOSTREAM

Transforms.conf

[LEOSTREAM]
REGEX = (111.111.111.111)
DEST_KEY = _MetaData:Index
FORMAT = leostream

satishp · ‎03-10-2011

I have same problem. any solution community ?

dcroteau · ‎12-09-2010

No, syslog.conf is set to my indexer over UDP 514. Very basic input setting. No forwarder involved.

riqbal · ‎05-21-2018

I am forwarding syslog logs to central syslog server. then central syslog server is sending logs to UF.

How can I send the logs to specific index

ftk · ‎12-09-2010

Did you restart the splunk instance after setting this up? Are you sending the syslog data to the indexer directly or to a forwarder?

riqbal · ‎05-21-2018

UF is installed on my syslog server and UF is configured to forward logs to HF.
where should I configure index configuration.

Pushing certain syslog messages to an Index

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...