Clicky

Splunk Index and Input Configuration for Layer8Insight

Starting with version 1.3 of our Layer8Insight Indexer App for Splunk, the app no longer predefines default inputs and indexes for Layer8Insight agent data. This change was dictated by the Splunk App certification requirements.

Index Configuration

Regarding indexes, the legacy default configuration defined two indexes: one for raw agent data and one for summarized alerts and data. What follows is the legacy configuration of indexes (indexes.conf) for the Layer8Insight Indexer App for Splunk. You can use this as a template to create a local version that suits your needs. Please consult the product documentation for more information about multi-tenancy and index name patterns.

# Default index setup for Layer8/Layer8Insight agent data.
# The frozenTimePeriodInSecs sets the default data retention
# limit to one year.
[layer8]
homePath = $SPLUNK_DB/layer8/db
coldPath = $SPLUNK_DB/layer8/colddb
thawedPath = $SPLUNK_DB/layer8/thaweddb
frozenTimePeriodInSecs = 31556952

# Default summary index setup for Layer8/Layer8Insight agent.
# The summary index holds custom alerts events that are
# calculated by the Layer8Insight App for Splunk.
# The frozenTimePeriodInSecs sets the default data retention
# limit to one year.
[summary_layer8]
coldPath = $SPLUNK_DB/summary_layer8/colddb
homePath = $SPLUNK_DB/summary_layer8/db
thawedPath = $SPLUNK_DB/summary_layer8/thaweddb
frozenTimePeriodInSecs = 31556952

 

Inputs Configuration

The default configuration in the legacy app defined two inputs: TCP port 8050 for raw agent data and TCP port 8060 for alerts. Starting with the release of Layer8Insight agent, only a single input for all agent data is required. Also, the Layer8Insight agent supports JSON-formatted data, meaning a new sourcetype "layer8;json" is also available. Consult the product documentation for all options regarding formats and input methods. Note, using the Splunk Universal Forwarder or Splunk HTTP Event Collector removes the need for defining inputs using the following configuration methods.

What follows is the legacy configuration of inputs (inputs.conf) for sending data in Key-Value/Name-Value pair format directly to Splunk.

# Default input setup for Key-Value/Name-Value pair
# formatted Layer8/Layer8Insight agent data. Only
# the index and sourceytpe settings are significant
# in determining how data is handled in the pre-built
# apps. Change the sourcetype to another setting if
# something other than Key-Value/Name-Value pair is
# used, e.g. "layer8:json" for JSON-formatted data.
[tcp://8050]
sourcetype = layer8data
source = layer8datatcp
connection_host = dns
index = layer8

# Default input setup for Key-Value/Name-Value pair
# formatted Layer8/Layer8Insight alerts. Only
# the index and sourceytpe settings are significant
# in determining how data is handled in the pre-built
# apps.
[tcp://8060]
sourcetype = layer8alerts
source = layer8alertstcp
connection_host = dns
index = layer8

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk