topic Re: Splunk Forwarder for Windows won't forward to specific index -- defaults to main in Getting Data In

Splunk Forwarder for Windows won't forward to specific index -- defaults to main

justinong — Sat, 16 Feb 2013 01:09:56 GMT

Forwarder works properly on initial install. Event logs are successfully exported into Splunk, but end up in the main index.

I modified inputs.conf and added
[default]
index = otherindex

After that, no data is transmitted. I know that the index is there as it is successfully displaying data that is coming in from our Linux hosts. I also tried simply adding index = otherindex under each type of Eventlog with the same results.

Maybe there is some kind of permission that is blocking these Windows hosts from writing to that index? (I'm not the Splunk admin so I don't know what's possible -- I'm merely deploying the client)

Re: Splunk Forwarder for Windows won't forward to specific index -- defaults to main

Drainy — Sat, 16 Feb 2013 08:37:29 GMT

Some basic tips which you'd need to clarify if you've tried first;

Changing the inputs.conf requires a restart for the changes to take
effect
When you say the index is successfully showing data from Linux hosts, is this through a dashboard or by you searching index=otherindex in a search window? By default you won't probably be searching this index when you run searches unless its been added to your role.
Once a forwarder has sent data it won't re-send it unless you clear its fishbucket out, but you should still receive new events - if there have been any

Re: Splunk Forwarder for Windows won't forward to specific index -- defaults to main

justinong — Mon, 18 Feb 2013 09:21:59 GMT

Yep. Every time I made a change to any of the conf files I restarted the SplunkForwarder Service.
By searching.

I confirmed that I can do index=existingindex and it'll show things coming in.
I also confirmed that if I do host=windowshost it'll show things coming into main pretty much constantly, and stops when I add the index = line to inputs.conf.

I realize that, when I take the index = line out of inputs.conf and restart the service it starts sending back to main without issue.

It's an odd problem! I swear I'm doing everything by the docs.

Re: Splunk Forwarder for Windows won't forward to specific index -- defaults to main

Drainy — Mon, 18 Feb 2013 09:46:11 GMT

Have you tried setting the index= on the indexer side?

Re: Splunk Forwarder for Windows won't forward to specific index -- defaults to main

justinong — Tue, 19 Feb 2013 19:03:31 GMT

I haven't. I only have access to the hosts on which I'm installing the forwarder. I can however make a suggestion to the Splunk admin if we narrow things down. Is there some kind of syntax that can be set to specifically send Windows Eventlogs going to main to another index?

I forgot to mention that I've done this on a couple Windows servers and the behavior is the same on each.

Re: Splunk Forwarder for Windows won't forward to specific index -- defaults to main

justinong — Tue, 05 Mar 2013 18:54:48 GMT

I'm going to assume there was a bug in the last version -- I downloaded the latest Forwarder and it works as expected now.