topic Re: Why are my logs sent to the default index? in Getting Data In

Why are my logs sent to the default index?

Mystica856 — Sat, 05 Aug 2017 15:43:47 GMT

Greetings all,

I am new to Splunk and trying to know my way around it. I created a home lab environment with the following details:
* 1 search head, 1 indexer, and 1 Heavy forwarder ( All Linux).
* 1 Universal forwarder ( my desktop).

Right now, my windows logs are being sent from the Universal Forwarder to Heavy forwarder on TCP port 9998 (random port #). Then, the Heavy Forwarder receives on 9998 and sends on to the indexer on 9997. I can search from the search head and receive all data however they all go to index=main.

I tried the following:
* modify inputs.conf in Heavy forwarder with the following:
[tcp://mydesktopIP:9998]

index = desktop

I also tried to modify the inputs.conf file in the launcher app: [splunktcp://9998] index = desktop ====

None of the options above worked. Also kindly note that I ensured that the indexes.conf file in my indexer has the "desktop" index information.

Thanks in advance.

Re: Why are my logs sent to the default index?

Mystica856 — Sat, 05 Aug 2017 15:47:15 GMT

Splunk version 6.6.0 I forgot to add it to the question.

Re: Why are my logs sent to the default index?

gcusello — Sat, 05 Aug 2017 16:58:40 GMT

Hi Mystica856,
destination index must be set in each stanza of each inputs.conf file of Universal Forwarders not of Heavy Forwarder or Indexer.
On heavy Forwarder, destination index must be set only for local logs, nof from Universal Forwarders.

It's also possible to change destination index on Indexers (see https://docs.splunk.com/Documentation/Splunk/6.6.2/Data/Advancedsourcetypeoverrides ), in other words:
in props.conf

 [mysourcetype]
 TRANSFORMS-index = overrideindex

in transforms.conf

 [overrideindex]
 DEST_KEY =_MetaData:Index
 REGEX = .
 FORMAT = new_index

Bye.
Giuseppe

Re: Why are my logs sent to the default index?

Mystica856 — Sat, 05 Aug 2017 18:11:01 GMT

That did fix it. But what I did is I went to each source/stanza in my "D:/programfiles/splunkuniversalforwarder/etc/apps/splunkuniversalforwarder/local/inputs.conf" and added index=desktop to each. My question is, is there a way to do it on a global level. Meaning, can I tell the universal forwarder that the logs sent to port 9998 should go to index=desktop without editing each stanza?

Thanks for the solution.

Re: Why are my logs sent to the default index?

gcusello — Sun, 06 Aug 2017 08:36:10 GMT

Hi Mystica856,
I don't like to do this for more reasons:
at first I prefer to set destination index in each stanza to have more control on each input of my deployment and don't overload Indexer of jobs that usually forwarders do.
I usually put my inputs.conf in dedicated apps (called Techical Add-Ons or TAs) that I centrally manage using a Deployment Server (dedicated when I have many forwarders), but for test you can use the same server of Indexer.
In addition don't use splunkuniversalforwarder app because it's a default Splunk app, create a custom TA and put your inputs.conf in it.
At the end the path you described is wrong because in Windows you have to use backslash instead of slash.
Bye.
Giuseppe