Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Segregate data base on IP Address

withool000
New Member
‎04-16-2016 11:37 AM

I am looking for the best solution for segregate data into multiple indexes.
There are IP addresses (very vary) being generated into a file which need to be segregated into a specific index.

The only way I can think of is using REGEX in transforms.conf but I am not sure how to regex the IP pattern from file.
Or there might be some better solution for this scenario.

Tags (1)
0 Karma
Reply

mcronkrite
Splunk Employee
Splunk Employee
‎04-17-2016 10:00 AM

In the inputs.conf file you can easily setup these filters at your forwarders inputs.conf.
By setting the index at the forwarder you have the least compute load on your indexers.
Use a deployment server to send custom inputs.conf to different fowarders/

Most easily just setting a value for index = foo in all the inputs.conf stanza that you want to send to foo
Then deploy this inputs.conf as an app foo/ to the fowarders that match that IP or host addreses. For the systems that you want to send to index=bar, do the same thing, create an inputs.conf that has index=bar set for all the data you want to go to bar. Then create an app called bar/ and deploy that to the hosts which should report to index=bar. Your deployment server controls what systems get Foo vs Bar app. This way to can dynamically change groups and scale your deployment without having to touch each system individually.

Check out the spec file for inputs.conf because there are many options for customizing where to send your data.
host_regex =
acceptFrom =
whitelist =
blacklist =

Check out the Getting Data In docs about white and black listing for mapping to different indexes.
http://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata

Check out the Routing and Data Filtering section
http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad

0 Karma
Reply

sundareshr
Legend
‎04-17-2016 09:54 AM

As simple regex for match IP would be \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b but this will match any and all IP addresses in the event. What is unique about the IP that need to be routed?

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...