Hello,
In the last year, I became the manager of a Splunk system with 0 documentation. All logs were being thrown into index=main, and the only information I can find is in inputs.conf, which is not very helpful:
[splunktcp://50200]
connection_host = ip
[splunktcp://50201]
connection_host = ip
[splunktcp://50202]
connection_host = ip
[splunktcp://42500]
connection_host = ip
[splunktcp://55555]
connection_host = ip
[splunktcp://50203]
connection_host = ip
disabled = 0
[splunktcp://51225]
connection_host = ip
[splunktcp://51125]
connection_host = ip
[splunktcp://514]
connection_host = ip
disabled = 0
[splunktcp://40100]
connection_host = ip
disabled = 0
[splunktcp://50000]
connection_host = ip
disabled = 0
[splunktcp://40300]
connection_host = ip
disabled = 0
[splunktcp://41000]
connection_host = ip
disabled = 0
[splunktcp://42000]
connection_host = ip
disabled = 0
[splunktcp://50100]
connection_host = ip
disabled = 0
I would like to find what data is coming in on these ports, set them all up to come in on 9997, and send them to their own index, so that I can allow the managers of that data to securely access that data, without being able to access logs that are not theirs (via a local role that only allows one or two indexes). Is there any way I can see what data is coming in on what port, or will I have to manually go through and set each port to it's own index or sourcetype to find out?
Thanks.
↧