https://community.splunk.com/t5/Getting-Data-In/How-to-define-custom-index-and-sourcetype-for-Universal/m-p/127816#M26264 <P>maybe share your inputs.conf</P> <P>here is how to specify the index from the docs as MuS suggested</P> <PRE><CODE>index = &lt;string&gt; * Sets the index to store events from this input. * Primarily used to specify the index to store events coming in via this input stanza. * Detail: Sets the index key's initial value. The key is used when selecting an index to store the events. * Defaults to "main" (or whatever you have set as your default index). </CODE></PRE> <P>also check your default role permissions for default indexs searched or go for a good old 15 minute search of </P> <PRE><CODE>index=* </CODE></PRE> <P>to check all indexes</P> Wed, 27 Jun 2018 20:46:55 GMT 0YAoNnmRmKDg 2018-06-27T20:46:55Z https://community.splunk.com/t5/Getting-Data-In/How-to-define-custom-index-and-sourcetype-for-Universal/m-p/127813#M26261 <P>Hi,</P> <P>I am using an Universal Forwarder to send a specific file to a Splunk instance on another machine. On this machine, by default it takes "main" as its index and a random sourcetype.</P> <P>I want to define index and sourcetype of my own. At which end should I do the changes "Universal forwarder" or "Splunk instance" and What?</P> <P>Please Help...!!!</P> Wed, 02 Jul 2014 05:40:21 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-define-custom-index-and-sourcetype-for-Universal/m-p/127813#M26261 harshal_chakran 2014-07-02T05:40:21Z https://community.splunk.com/t5/Getting-Data-In/How-to-define-custom-index-and-sourcetype-for-Universal/m-p/127814#M26262 <P>Hi harshal_chakranarayan,</P> <P>set your sourcetype and index in <A href="http://docs.splunk.com/Documentation/Splunk/6.1.1/admin/Inputsconf">inputs.conf</A> on your universal forwarder.</P> <P>cheers, MuS</P> Wed, 02 Jul 2014 06:15:45 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-define-custom-index-and-sourcetype-for-Universal/m-p/127814#M26262 MuS 2014-07-02T06:15:45Z https://community.splunk.com/t5/Getting-Data-In/How-to-define-custom-index-and-sourcetype-for-Universal/m-p/127815#M26263 <P>it's doesn't work.. how correct define index ? <BR /> I created index in Splunk, made monitor with custom sourcetype and indexer, but after it nothing to happend.. No errors, no data transfer and, of course, no indexing.. </P> <P>What's wrong ?</P> <P>If I use monitor without custom index - all correct work..</P> Mon, 25 Jun 2018 16:19:14 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-define-custom-index-and-sourcetype-for-Universal/m-p/127815#M26263 keekkenen 2018-06-25T16:19:14Z https://community.splunk.com/t5/Getting-Data-In/How-to-define-custom-index-and-sourcetype-for-Universal/m-p/127816#M26264 <P>maybe share your inputs.conf</P> <P>here is how to specify the index from the docs as MuS suggested</P> <PRE><CODE>index = &lt;string&gt; * Sets the index to store events from this input. * Primarily used to specify the index to store events coming in via this input stanza. * Detail: Sets the index key's initial value. The key is used when selecting an index to store the events. * Defaults to "main" (or whatever you have set as your default index). </CODE></PRE> <P>also check your default role permissions for default indexs searched or go for a good old 15 minute search of </P> <PRE><CODE>index=* </CODE></PRE> <P>to check all indexes</P> Wed, 27 Jun 2018 20:46:55 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-define-custom-index-and-sourcetype-for-Universal/m-p/127816#M26264 0YAoNnmRmKDg 2018-06-27T20:46:55Z https://community.splunk.com/t5/Getting-Data-In/How-to-define-custom-index-and-sourcetype-for-Universal/m-p/127817#M26265 <P>Thanks, I didn't see result of index work - it's worked and make index.<BR /> Yes, my mistake is absence permissions for using index - I forgot add index to using role.</P> Thu, 28 Jun 2018 10:24:52 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-define-custom-index-and-sourcetype-for-Universal/m-p/127817#M26265 keekkenen 2018-06-28T10:24:52Z