https://community.splunk.com/t5/Getting-Data-In/Specify-index-for-windows-Eventlogs-in-Universal-Forwarder/m-p/20903#M3074 <P>Hi,</P> <P>I've installed a Universal Forwarder and it is forwarding Windows events fine to the Splunk server.</P> <P>Hoever, all Windows eventlogs are indexed in the "main" index of Spunk and I would like to have these indexed somwhere else.<BR /> I can't find out what stanza I should use to specify an index for the eventlogs in the config of the Universal forwarder.</P> <P>The idea is to have multiple types of Windows hosts configured to use different indexes, all bering forwarded to the same Splunk server.</P> <P>Best regards,</P> Fri, 06 Apr 2012 07:13:41 GMT johanbraeken 2012-04-06T07:13:41Z https://community.splunk.com/t5/Getting-Data-In/Specify-index-for-windows-Eventlogs-in-Universal-Forwarder/m-p/20903#M3074 <P>Hi,</P> <P>I've installed a Universal Forwarder and it is forwarding Windows events fine to the Splunk server.</P> <P>Hoever, all Windows eventlogs are indexed in the "main" index of Spunk and I would like to have these indexed somwhere else.<BR /> I can't find out what stanza I should use to specify an index for the eventlogs in the config of the Universal forwarder.</P> <P>The idea is to have multiple types of Windows hosts configured to use different indexes, all bering forwarded to the same Splunk server.</P> <P>Best regards,</P> Fri, 06 Apr 2012 07:13:41 GMT https://community.splunk.com/t5/Getting-Data-In/Specify-index-for-windows-Eventlogs-in-Universal-Forwarder/m-p/20903#M3074 johanbraeken 2012-04-06T07:13:41Z https://community.splunk.com/t5/Getting-Data-In/Specify-index-for-windows-Eventlogs-in-Universal-Forwarder/m-p/20904#M3075 <P>Locate the <CODE>inputs.conf</CODE> file on your forwarder. You will have several inputs.conf files, but the one to look for is the one containing the following stanza;</P> <PRE><CODE>[WinEventLog:XXX] disabled=0 </CODE></PRE> <P>XXX would be Application, Security or System (or all of those in separate stanzas in the file). There may be other parameters defined under each stanza heading. Just add another line specifying <CODE>index=zzzz</CODE> , where <CODE>zzzz</CODE> is an index you have configured on your indexer. </P> <P>The most likely location to find the correct inputs.conf file would be in;</P> <PRE><CODE>C:\Program Files\splunk\etc\apps\search\local C:\Program Files\splunk\etc\apps\launcher\local C:\Program Files\splunk\etc\apps\MSICreated\local C:\Program Files\splunk\etc\system\local </CODE></PRE> <P>Do not edit any file in a default-directory.</P> <P>Hope this helps,</P> <P>Kristian</P> Fri, 06 Apr 2012 10:25:39 GMT https://community.splunk.com/t5/Getting-Data-In/Specify-index-for-windows-Eventlogs-in-Universal-Forwarder/m-p/20904#M3075 kristian_kolb 2012-04-06T10:25:39Z https://community.splunk.com/t5/Getting-Data-In/Specify-index-for-windows-Eventlogs-in-Universal-Forwarder/m-p/20905#M3076 <P>Please upvote a/o mark as accepted if your question was answered. Thanks.</P> <P>Kristian</P> Fri, 06 Apr 2012 12:10:13 GMT https://community.splunk.com/t5/Getting-Data-In/Specify-index-for-windows-Eventlogs-in-Universal-Forwarder/m-p/20905#M3076 kristian_kolb 2012-04-06T12:10:13Z