topic Re: How to create and redirect event to the indexes? in Splunk Enterprise

How to create and redirect event to the indexes?

sathyajith_tekd — Mon, 12 Mar 2018 08:13:43 GMT

I have created an splunk distributed setup which consist of a Search Head,indexer and two heavy forwarder.Right now am forwarding events from windows,Linux and firewall through syslog-ng to the indexer.But the events are store in main index.So I want to create and redirect to a separate index for windows,linux and syslog and also, is it possible to move the event stored in main index to the corresponding indexes.

Re: How to create and redirect event to the indexes?

tiagofbmm — Mon, 12 Mar 2018 08:18:28 GMT

You need to go to the inputs.conf in each of the Splunk Apps (Windows, Linux and Firewall), and under each stanza such as WinEventLog://Application and put a index under it.

[WinEventLog://Application]
index=your_index

Do the same for all the other stanzas in the inputs.conf you are collecting.

You also need to create the indexes you want. You can do it in the Splunk UI of the Indexer, under Settings, Indexes, New Index

Re: How to create and redirect event to the indexes?

sathyajith_tekd — Mon, 12 Mar 2018 08:29:28 GMT

Right now I have about 65,000 of events in the main index (windows,Linux,syslog),Is it possible to move the events to the corresponding indexes.

Re: How to create and redirect event to the indexes?

deepashri_123 — Tue, 29 Sep 2020 18:27:54 GMT

Hey sathyajith_tekdeliver,
Already indexed data cannot be added to new index. However you can re-index the data to the new index.

For distributed environment.

Create seperate index in indexes.conf in $SPLUNK_HOME$/etc/master-apps/_cluster/local
for all indexes you want
Sample index format:

[linux]

homePath = $SPLUNK_DB/linux/db
coldPath = $SPLUNK_DB/linux/colddb
thawedPath = $SPLUNK_DB/linux/thaweddb

From the master, Push the configuration bundle via GUI.
Settings>Indexer Clustering>Distribute configuration Bundle.

This will create indexes.

In inputs.conf on the forwarder add index to which data has to be indexed.
Sample:

[monitor://]
index = linux

And restart splunk.

If you are trying to re-index data then you need to add crc_salt in inputs.conf
Refer this link:
http://docs.splunk.com/Documentation/Splunk/7.0.2/Indexer/Indexerclusterinputs
Let me know if this helps!!!

Re: How to create and redirect event to the indexes?

tiagofbmm — Mon, 12 Mar 2018 08:34:48 GMT

These events in the main index are in buckets mixed with others, which means you can't just move the buckets from one index to the other.

As these are not [monitor:....] stanzas, but rather scripts running on the servers, you can't have the data "reingested" unfortunately.

You can explore the collect command to see if you can get something out of it, but the main point here is: if data is there, specially in a default index that in your case has many sources in there, there is no trivial way to do that I believe

Re: How to create and redirect event to the indexes?

sathyajith_tekd — Mon, 12 Mar 2018 08:44:34 GMT

Thank you so much

Re: How to create and redirect event to the indexes?

tiagofbmm — Mon, 12 Mar 2018 08:48:55 GMT

Can you accept my answer below? You just accepted your own

Re: How to create and redirect event to the indexes?

sathyajith_tekd — Fri, 23 Mar 2018 12:12:34 GMT

Hello,

After adding the stanzas the events are indexed in a new index except some events.
Sources such as

Perfmon:Network Interface

Perfmon:CPU Load

Perfmon: Available Memory
is still indexed in default,So how to move these source to the new index