Routing syslog data to custom indexes
When routing data from SC4S, you may have existing indexes you need to use for compliance or other reasons.
The splunk_metadata.csv is a file that contains a “key” that is referenced in the log path for each data source. These keys are documented in the individual source files in this section, and allow you to override Splunk metadata either in whole or part. To achieve custom index routing, update the contents of splunk_metadata.csv in /opt/sc4s/local/context on the host to:
cisco_asa,index,<custom index name>
Next steps
These additional Splunk resources might help you understand and implement this use case:
- Blog: Splunk Connect for Syslog: Configuration in depth
- .Conf Talk: Splunk Connect for Syslog: Extending the platform
- Github: Splunk Connect for Syslog
Finally, you might be interested in other processes associated with the Understanding best practices for Splunk Connect for Syslog use case.