topic Re: Setting indexes on windows universal forwarder in Getting Data In

How to configure the Splunk universal forwarders on a Windows machine to send to an index that isn't the main?

TrueMex — Fri, 11 Feb 2022 16:45:24 GMT

Hi All, i am trying to configure the splunk universal forwarders on a windows machine to send to an index that isnt main. I attempted to set index=windows_index in the inputs.comf file in $splunk/etc/system/local/. when i set the index there, and restart the forwarder no logs get to splunk. when removed and restarted again, logs all pour in.

Is this config setting something to be set in the forwarders?

Re: Setting indexes on windows universal forwarder

pradeepkumarg — Fri, 08 Jun 2018 18:31:00 GMT

Is this index created on the indexer? windows_index. Unless you create the index on the indexer, the events end up no where.

Re: Setting indexes on windows universal forwarder

kmorris_splunk — Fri, 08 Jun 2018 19:15:19 GMT

Can you share your inputs.conf stanza? Also, to gpradeepkumarreddy's point, the index needs to exist in the indexers.

Re: Setting indexes on windows universal forwarder

TrueMex — Fri, 08 Jun 2018 19:18:53 GMT

Index exists. I figured out the issue in one machine, i did not denote index="windows_index"

Also note windows_index is a placeholder before anyone else gets me.

Re: Setting indexes on windows universal forwarder

TrueMex — Fri, 08 Jun 2018 19:19:59 GMT

I figured out one issue and yet another has appeared. I needed to have index="windows_index" with the index inside "" but while this works on one machine it does not on another. i will update when i have more.

Re: Setting indexes on windows universal forwarder

raghu0463 — Fri, 08 Jun 2018 19:35:46 GMT

I think you need to login as Admin for editing inputs.conf file on forwarder system. i.e open the .txt file as run as administrator.

Re: Setting indexes on windows universal forwarder

bogdan_nicolesc — Fri, 25 Jan 2019 14:31:11 GMT

Hi all,

I was about to ask the same question.

So let me get this clear ....

In file inputs.conf from Program Files\Splunk\etc\system\local you need to type in what to index to use on the indexer server ... ??

And on the server side you need to create an index with the name put in the inputs.conf .... right?

This inputs.conf can't be from Splunk Universal Forwarder? It has to be from splunk folder?

Can anyone can give me an example of a inputs.conf that collects win security log and send it to an index called win_sec on a server so called 192.168.1.1:9997

I have some ideas how it should look but i'm lost in commands .....

Thank you,
Bogdan.

Re: Setting indexes on windows universal forwarder

woodcock — Fri, 25 Jan 2019 16:47:56 GMT

You need to make sure that you have windows_index defined in indexes.conf on your indexers.

Re: Setting indexes on windows universal forwarder

woodcock — Fri, 25 Jan 2019 17:37:02 GMT

No.
On the forwarder you use inputs.conf and tell it what index value will store the data that you are sending.
On the indexers you need to create that matching index with indexes.conf.

Re: Setting indexes on windows universal forwarder

Bakkar — Tue, 16 Mar 2021 23:56:28 GMT

Updated inputs.conf file from path "C:\Program Files\SplunkUniversalForwarder\etc\system\default"

[monitor://$SPLUNK_HOME\var\log\splunk]

index =<Your Indexname>

[monitor://$SPLUNK_HOME\var\log\watchdog\watchdog.log*]

index =<Your Indexname>

Hope this helps

Re: Setting indexes on windows universal forwarder

HiwaKarimi — Fri, 11 Feb 2022 14:46:00 GMT

I did like this in path: $SPLUNK_HOME/etc/system/default/indexes.conf for an Index (wallix)

[wallix]
repFactor = auto
homePath = volume:hotwarm/wallix/db
coldPath = volume:cold/wallix/colddb
thawedPath = $SPLUNK_DB/wallix/thaweddb
tstatsHomePath = volume:hotwarm/wallix/datamodel_summary
homePath.maxDataSizeMB = 5120
coldPath.maxDataSizeMB = 10240
maxHotBuckets = 10
maxDataSize = auto_high_volume
maxTotalDataSizeMB = 15360
maxWarmDBCount = 4294967295
frozenTimePeriodInSecs = 31104000