Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Receive cooked data to index securitylogs

nicocin
Path Finder
‎04-01-2016 05:52 AM

We have some Appliances (Open System Webproxy), they can send Splunk cooked data into Splunk.

I want to receive the data to a restricted index (securitylogs).

In a first try I configured the listening port in the Webui, Setting -> Forwarding and receiving -> Configure receiving -> added Port 3514

This was working but it was using the main index. So I've reconfigured it in the app "config_all_indexers":

inputs.conf
[splunktcp://3514]
disabled = 0
index = securitylogs

Then I used the "| delete" function to remove the data from the main index.

Now I dont get any data from the appliances anymore and I've no idea why..

Maybe someone can give me a hint whats the problem of my config?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nicocin
Path Finder
‎04-04-2016 12:03 AM

Thank you for the tips.

I've changed nothing but now I'm receiving events.

Unfortunately they go to the main index..

alt text

How can I change that?

View solution in original post

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution
Solution

nicocin
Path Finder
‎04-04-2016 12:03 AM

Thank you for the tips.

I've changed nothing but now I'm receiving events.

Unfortunately they go to the main index..

alt text

How can I change that?

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

nicocin
Path Finder
‎04-04-2016 04:17 AM

I've found another article that states "The "splunktcp" input is not a data input, but instead an input to listen to Splunk Forwarders."

So I've configured it with props.conf and transforms.conf:

props.conf
[mc_logs]
TRANSFORMS-index=sendtomyindex

transforms.conf
[sendtomyindex]
SOURCE_KEY=_MetaData:Index
DEST_KEY=_MetaData:Index
REGEX=(.*)
FORMAT=securitylogs

Now the data goes to the index "securitylogs".

0 Karma
Reply
Solved! Jump to solution

niemesrw
Path Finder
‎04-02-2016 09:41 AM

It sounds like you have it configured properly. I'd take the following steps to troubleshoot what might be going on:

  1. Run tcpdump on the indexer where you have that input & index configured, do you see traffic making its way to that indexer?
  2. Run netstat -an | grep 3514 on the indexer to ensure the port is open & listening
  3. Examine the securitylogs index to ensure it's growing
  4. Run index=* source="tcp:3514" to see if it's going to a different index (you may want to run it on the search heads & the indexers)
  5. Run index=_internal and search for anything relating to the cooked logs or a host configured to send logs to your indexers
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-01-2016 07:54 AM

Did you configure the securitylogs index in indexes.conf on all of your indexers (and then restart them)?

0 Karma
Reply
Solved! Jump to solution

nicocin
Path Finder
‎04-01-2016 07:59 AM

It is configured in the app config_all_indexers which is deployed to all indexers.

I've restarted splunkd on all indexers.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...