topic Change the INDEX for the data received from Splunk Forwarder in Getting Data In

Change the INDEX for the data received from Splunk Forwarder

klkumar10 — Tue, 13 Jul 2010 21:35:05 GMT

I have Splunk (4.1.2) with Search / Indexer running on Redhat Linux. And I installed Splunk (4.1.2) as forwarder on a windows server.

From the windows Splunk forwarder I am collecting Windows Remote Logs using WMI and forwarding them to my Splunk Instance running on Linux.

By default, all the WMI data collected is going to "main" index. I created an index called windows on the main splunk instance on Linux. I want all the data coming from the windows forwarder to go to index "windows"

Can someone help me in configuring the same?

Re: Change the INDEX for the data received from Splunk Forwarder

Simeon — Tue, 13 Jul 2010 22:54:36 GMT

When the data leaves the forwarder it can be labeled with the other index you want to send to. There are two steps that need to occur:

1 - Create the index on the Splunk indexer. You can do this via the GUI and you will need to restart Splunk for the index to be created.

2 - Modify the WMI input settings on the Forwarder to use the windows index. To do this, find the input setting for your WMI input (likely in $SPLUNK_HOME/etc/apps/windows/default) and set the index value to windows. Typically, you can just edit your inputs.conf file and add a "index=windows" line under your WMI input:

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.py]
index=windows

Re: Change the INDEX for the data received from Splunk Forwarder

klkumar10 — Wed, 14 Jul 2010 14:10:40 GMT

Thanks for the solution.

But instead of adding the script option, I made the default index to windows in inputs.conf

$SPLUNK_HOME/etc/apps/windows/local/inputs.conf

[default]
index = windows

And then restarted splunk, it works.

Re: Change the INDEX for the data received from Splunk Forwarder

krusty — Thu, 16 Dec 2010 01:02:39 GMT

Hi,

is it possible to use different indexes on the main splunk server? For example I have 2 fileserver in our windows environment and many other windows server. The event data of the fileserver should be stored at "index_fileserver" and the other event data of the other windows server should be stored at "index_windows". How can I configure this on the windows forwarder?

Thanks

Re: Change the INDEX for the data received from Splunk Forwarder

gopala — Tue, 29 Sep 2020 08:08:40 GMT

Hi, Question for Simeon.
I have tried to configure the script thing and it doesnt work. I might be missing something or doing something wrong.
Also in our forwarder the path/script names are slightly different:

C:\Program Files\SplunkUniversalForwarder\etc\apps*Splunk_TA_windows*\default\inputs.conf

C:\Program Files\SplunkUniversalForwarder\bin\scripts*splunk-wmi.path*

splunk-wmi.path is actually not a python script but a file which content is just the text :
$SPLUNK_HOME\bin\splunk-wmi.exe

Maybe we need to modify a different inputs.conf ? this type of file is everywhere inside the $splunkhome
The exact modification we need to do is to write just "RIGHT" under the label ###### Scripted Input (See also wmi.conf):
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.py]
index=windows

Is this correct ? including all thebrackets <a href="... etc... ? Im totally lost

...So the win forwarded logs arrive to the main index which is something that we dont want.
On the other hand we dont want to change the main index to be our windows index. We would like to keep everything on its proper place.
Any hints ?">

Re: Change the INDEX for the data received from Splunk Forwarder

piebob — Wed, 09 Dec 2015 16:10:44 GMT

http://docs.splunk.com/Documentation/Splunk/6.3.1511/Indexer/Setupmultipleindexes