UDP syslog seprate index for specific hosts

Hey Guys,

I have multiple host in my network using UDP:514 syslog to main index in splunk but now i want to create separate "production" index for critical server. so how should i divert syslog traffic to new index ? I read on google people talking about props.conf but how it will work ?

syslog

asked 04 Mar '11, 18:20

satishp
11●1●4
accept rate: 0%

One Answer:

oldest newest most voted

I've got something similar working where I'm sending specific type syslog msg to a separate index. In my case I'm specifying [syslog] in my props.conf and then doing a regex match for the msg I want in the transforms.conf.

If you're only sending syslog msgs from the host you want, you can probably filter on the host itself to send all msgs to the separate index. Something like the below (I haven't tested this btw)

props.conf
[host::somehost]
TRANSFORMS-syslog-somehost=SYSLOGSOMEHOST

transforms.conf
[SYSLOGSOMEHOST]
REGEX =(.*)
DEST_KEY = _MetaData:Index
FORMAT = YOURINDEX
WRITE_META = true

link

answered 02 May '11, 12:37

briang67
480●2●10
accept rate: 25%

edited 02 May '11, 12:38

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

syslog ×278

Asked: 04 Mar '11, 18:20

Seen: 2,157 times

Last updated: 02 May '11, 12:38

UDP syslog seprate index for specific hosts

Follow this question

Splunk Resources

Related questions