https://community.splunk.com/t5/Getting-Data-In/Is-this-inputs-conf-changing-our-default-index-from-quot-Main/m-p/334531#M61854 <P>Hi JordanPeterson,<BR /> change index in [default] stanza</P> <PRE><CODE>[default] index = main </CODE></PRE> <P>One additional information: what is the stanza of DesktopForwarder wher is the first "row index=test" I see?</P> <P>Bye.<BR /> Giuseppe</P> Thu, 26 Oct 2017 07:02:50 GMT gcusello 2017-10-26T07:02:50Z https://community.splunk.com/t5/Getting-Data-In/Is-this-inputs-conf-changing-our-default-index-from-quot-Main/m-p/334530#M61853 <P>I inherited a Splunk Enterprise deployment with a deployment management server used to make changes to all forwarders in the environment. In our environment we have an Index called "test" that is eating away at a highly disproportionate amount of our license (it's 50+% of our daily usage). </P> <P>When I logon to our Splunk Deployment Server and do a search for "Index = test" or "Index=test" I get back to apps in $SPLUNK_HOME/etc/deployment-apps/. The first is DesktopForwarder that has a default <CODE>inputs.conf</CODE> file that looks like this (extra line breaks removed): </P> <PRE><CODE>index=test # Specific File Change Monitors [fschange:$windir/win.ini] fullEvent=true [fschange:$windir/system.ini] fullEvent=true [fschange:c:/autoexec.bat] fullEvent=true [fschange:c:/config.sys] fullEvent=true [fschange:c:/boot.ini] fullEvent=true [fschange:$windir/regedit.exe] # Folder File Change Monitors [fschange:$windir/system] filters=filetypes-blacklist [fschange:$windir/system32] filters=filetypes-blacklist,system32-blacklist [fschange:C:/Documents and Settings/All Users/Start Menu/Programs/Startup] filters=filetypes-blacklist [fschange:C:/ProgramData/Microsoft/Windows/Start Menu/Programs/Startup] filters=filetypes-blacklist # Change Monitor Filters [filter:blacklist:generic-blacklist] [filter:blacklist:filetypes-blacklist] regex1=.*\.log regex2=.*\.evtx regex3=.*\.tmp regex4=.*\.bak regex5=.*\.dat regex6=.*\.old regex7=.*\.bad [filter:blacklist:system32-blacklist] regex1=.*\\LogFiles\\.* regex2=.*\\wbem\\Logs\\.* regex3=.*\\wbem\\Repository\\.* regex4=.*\\config\\.* regex5=.*\\spool\\.* regex6=.*\\CatRoot\\.* </CODE></PRE> <P>The second is a Forwarder app that has a default <CODE>inputs.conf</CODE> that looks like this: </P> <PRE><CODE>[default] index = test [fschange:D:\Program Files\Splunk\etc] disabled = 1 </CODE></PRE> <P>In the context of today if I search <CODE>index="test"</CODE> I get thousands of WinEventLog:Security from every Windows server on our network. If I search <CODE>index="test" NOT sourcetype="WinEventLog:Security"</CODE> I get a few dozen log files from one RHEL6 server that don't appear to be handled elsewhere. </P> <P>My question is in the second file (Forwarder/default/inputs.conf) is that changing our default index from "Main" to "test" for all forwarders getting apps from the management server? </P> <P>Additionally if I search <CODE>sourcetype="WinEventLog:Security"</CODE> I have 2 other indexes (for a total of 3) getting WinEvent Security logs. Is there a way for me to tell if these are duplicates? </P> Wed, 25 Oct 2017 22:49:22 GMT https://community.splunk.com/t5/Getting-Data-In/Is-this-inputs-conf-changing-our-default-index-from-quot-Main/m-p/334530#M61853 JordanPeterson 2017-10-25T22:49:22Z https://community.splunk.com/t5/Getting-Data-In/Is-this-inputs-conf-changing-our-default-index-from-quot-Main/m-p/334531#M61854 <P>Hi JordanPeterson,<BR /> change index in [default] stanza</P> <PRE><CODE>[default] index = main </CODE></PRE> <P>One additional information: what is the stanza of DesktopForwarder wher is the first "row index=test" I see?</P> <P>Bye.<BR /> Giuseppe</P> Thu, 26 Oct 2017 07:02:50 GMT https://community.splunk.com/t5/Getting-Data-In/Is-this-inputs-conf-changing-our-default-index-from-quot-Main/m-p/334531#M61854 gcusello 2017-10-26T07:02:50Z