topic Re: forwarding data by identified index in Getting Data In

forwarding data by identified index

makhambayeva — Mon, 29 Apr 2019 11:24:37 GMT

I have a Splunk Enterprise, which collects 3 different indexed data, I need to forward only one of them, how can I do this?

Re: forwarding data by identified index

mdsnmss — Mon, 29 Apr 2019 12:57:57 GMT

Hi @makhambayeva,
What does your inputs.conf look like? What kind of data are you collecting and how are you collecting it? Is the data you are looking to collect split out between different files/sources or combined into one? Depending on those answers there may be different solutions.

Re: forwarding data by identified index

somesoni2 — Mon, 29 Apr 2019 15:14:49 GMT

Also, provide how data is currently being ingested and how you want it to be (with some examples).

Re: forwarding data by identified index

makhambayeva — Tue, 30 Apr 2019 03:25:36 GMT

I have two flows from different protective equipments (FortiGate, FortiSandox), which are sending data on certain tcp ports, and one auth log-file, which is stored on Splunk server on "/var/log/secure" directory. There are 3 diferent sources, but when I configure forwarding from web console, it send only information came from ports. How i need to configure inputs.conf in order to send data from certain file?

Re: forwarding data by identified index

makhambayeva — Tue, 30 Apr 2019 03:38:02 GMT

to be exact, splunk forwards log-file to indexer, but , according to my thoughts, indexer cannot receive them. i see warning "received event from unconfigured/disabled/deleted index=secure. So far received events from missing index"

Re: forwarding data by identified index

mdsnmss — Wed, 01 May 2019 15:44:50 GMT

That means you are receiving the events but your inputs is telling them to go to index=secure and you don't have the index configured. What does your architecture look like? You would need that index configured at your indexer (https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Setupmultipleindexes#Create_and_edit_indexes).

Re: forwarding data by identified index

mdsnmss — Wed, 01 May 2019 15:47:43 GMT

There is also a setting in indexes.conf that specified a lastChanceIndex. It is explained here: https://answers.splunk.com/answers/594449/what-happens-when-the-forwarder-is-configured-to-s.html. If your data has an index specified it can't get to it would go to what you specify here. People often configure it for main.