https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99522#M20819 <P><A href="http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest">http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest</A></P> Fri, 19 Apr 2013 10:54:49 GMT Ayn 2013-04-19T10:54:49Z https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99510#M20807 <P>Hi</P> <P>I configured Universal forwarder to push the windows event logs ( adfs logs ) to main splunk server.</P> <P>Can anyone help me how to configure the application and indexer.</P> <P>Thanks in advance</P> Thu, 18 Apr 2013 12:18:54 GMT https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99510#M20807 skomath 2013-04-18T12:18:54Z https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99511#M20808 <P>Platform : windows</P> Thu, 18 Apr 2013 13:47:33 GMT https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99511#M20808 skomath 2013-04-18T13:47:33Z https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99512#M20809 <P>A little more information would be helpful .... what app, what index, what specifically do you need help with? You might want to take a look at the Splunk App for Active Directory (<A href="http://splunk-base.splunk.com/apps/51338/splunk-app-for-active-directory">http://splunk-base.splunk.com/apps/51338/splunk-app-for-active-directory</A>) as it will do most of the configuration for you.</P> Thu, 18 Apr 2013 14:04:13 GMT https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99512#M20809 jstockamp 2013-04-18T14:04:13Z https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99513#M20810 <P>In splunk web we can add new application ( say myApp ) right. And I created new index as well ( called myIndex). And the in our application server I installed unversal forwarder and configured to push adfs logs. Logs are moving to main index.</P> Thu, 18 Apr 2013 14:10:35 GMT https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99513#M20810 skomath 2013-04-18T14:10:35Z https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99514#M20811 <P>Do you want any more details ?</P> Thu, 18 Apr 2013 14:13:47 GMT https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99514#M20811 skomath 2013-04-18T14:13:47Z https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99515#M20812 <P>I want to move all logs to specific index ( say myIndex ) rather than going to main index</P> Thu, 18 Apr 2013 14:16:04 GMT https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99515#M20812 skomath 2013-04-18T14:16:04Z https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99516#M20813 <P>Wev are looking for the ADFS monitoring. Splunk App for Active Directory supports ADFS ?</P> Thu, 18 Apr 2013 14:21:15 GMT https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99516#M20813 skomath 2013-04-18T14:21:15Z https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99517#M20814 <P>To specify the index you want an input to go to just add:</P> <P>index=myIndex</P> <P>to the monitor stanza in your inputs.conf (on the forwarder).</P> <P>I don't believe Splunk for AD supports ADFS logs specifically.</P> Thu, 18 Apr 2013 14:33:03 GMT https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99517#M20814 jstockamp 2013-04-18T14:33:03Z https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99518#M20815 <P>which location ? which file, Is it inputs.conf ?</P> Thu, 18 Apr 2013 14:38:43 GMT https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99518#M20815 skomath 2013-04-18T14:38:43Z https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99519#M20816 <P>It sounds like you were already configured the forwarder to push ADFS logs (which means you configured an inputs.conf file to monitor a directory). In that inputs.conf add index=myIndex and you should be good. there can be multiple inputs.conf files on a forwarder, so you could have configured it in a number of places.</P> Thu, 18 Apr 2013 14:43:30 GMT https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99519#M20816 jstockamp 2013-04-18T14:43:30Z https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99520#M20817 <P>ADFS will write the logs into windows event log. I configured the unversal forwarder to collect log from the windows event log. For installation I used the windows msi setup.</P> Fri, 19 Apr 2013 06:16:17 GMT https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99520#M20817 skomath 2013-04-19T06:16:17Z https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99521#M20818 <P>I specified like this</P> <P>[WinEventLog:Security]<BR /> disabled = 0<BR /> index = myIndex<BR /> All the security logs start moving to the specified index.</P> <P>Now the problem is... I want to filter the security logs before pushing to the server. Like I want to push only the logs having SourceName=AD FS 2.0 Auditing</P> Fri, 19 Apr 2013 09:43:15 GMT https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99521#M20818 skomath 2013-04-19T09:43:15Z https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99522#M20819 <P><A href="http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest">http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest</A></P> Fri, 19 Apr 2013 10:54:49 GMT https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99522#M20819 Ayn 2013-04-19T10:54:49Z https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99523#M20820 <P>Just to be clear these modifications to props.conf and transforms.conf will go on the indexer, not the forwarder.</P> Fri, 19 Apr 2013 13:45:54 GMT https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99523#M20820 jstockamp 2013-04-19T13:45:54Z https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99524#M20821 <P>So, Is it possible to do the filtering at client side ( in Universal forwarder ) ?</P> Fri, 19 Apr 2013 14:57:47 GMT https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99524#M20821 skomath 2013-04-19T14:57:47Z https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99525#M20822 <P>see <A href="http://splunk-base.splunk.com/answers/39231/filtering-with-a-uf-before-indexing">http://splunk-base.splunk.com/answers/39231/filtering-with-a-uf-before-indexing</A> for answers to your above question</P> Fri, 19 Apr 2013 15:16:03 GMT https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99525#M20822 aholzer 2013-04-19T15:16:03Z https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99526#M20823 <P>No, it is not.</P> Fri, 19 Apr 2013 15:16:36 GMT https://community.splunk.com/t5/Getting-Data-In/Configure-index-and-application-in-Universal-forwarder/m-p/99526#M20823 Ayn 2013-04-19T15:16:36Z