https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-new-index/m-p/407220#M95327 <P>I am collecting the log files from my syslog server and defined the index for the source path but it is still sending the the events to the main index.</P> <P>Need to change the index for the event.</P> <P>Please help!</P> Sat, 13 Apr 2019 17:07:37 GMT sherrysafdar 2019-04-13T17:07:37Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-new-index/m-p/407220#M95327 <P>I am collecting the log files from my syslog server and defined the index for the source path but it is still sending the the events to the main index.</P> <P>Need to change the index for the event.</P> <P>Please help!</P> Sat, 13 Apr 2019 17:07:37 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-new-index/m-p/407220#M95327 sherrysafdar 2019-04-13T17:07:37Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-new-index/m-p/407221#M95328 <P>On your indexer you need to create an index using the <CODE>indexes.conf</CODE> file:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/latest/Admin/Indexesconf">https://docs.splunk.com/Documentation/Splunk/latest/Admin/Indexesconf</A></P> <P>Once the index is defined there, you need to reference it inside of the <CODE>inputs.conf</CODE> on your syslog server like this:</P> <PRE><CODE>[monitor://.......] index=YourIndexNameHere </CODE></PRE> Sat, 13 Apr 2019 18:46:06 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-new-index/m-p/407221#M95328 woodcock 2019-04-13T18:46:06Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-new-index/m-p/407222#M95329 <P>I am unable to find the indexes.conf under /opt/splunk/etc/system/local I wonder if I need to need to create one? if that doesn't exist?</P> <P>Also, on my syslog my current inputs.conf looks like below with the default installation.</P> <P>[default]<BR /> host = SP-FWDR</P> <P>Do I need to reference each index inside the inputs.conf whatever I need to be in a separate indexes? how about the rest of the events will it go to the main?</P> Sat, 13 Apr 2019 19:12:09 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-new-index/m-p/407222#M95329 sherrysafdar 2019-04-13T19:12:09Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-new-index/m-p/407223#M95330 <P>No, do not put your stuff in <CODE>/opt/splunk/etc/system/local</CODE>. Create your own app on your indexers in <CODE>/opt/splunk/etc/apps/YourCompany_all_indexes/default/indexes.conf</CODE>. Yes, you reference that index name inside of <CODE>inputs.conf</CODE> on your syslog server. If you do not specify any index name, then by default, your events will go to <CODE>main</CODE>. If you specify and index name/value that does not exist, then the events will go nowhere and get dropped (logging <CODE>Received event for unconfigured/disabled/deleted</CODE> in <CODE>index=_internal</CODE> ), unless you have defined a <CODE>lastChanceIndex</CODE> on your indexers.</P> Sat, 13 Apr 2019 19:46:29 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-new-index/m-p/407223#M95330 woodcock 2019-04-13T19:46:29Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-new-index/m-p/407224#M95331 <P>Sorry for jumping in @woodcock - we put our indexes under <CODE>$SPLUNK_HOME/etc/apps/YourCompany_all_indexes/local/indexes.conf</CODE> (local versus your recommendation of default).</P> <P>In the past, on an older platform, we placed the indexes under - <CODE>$SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf</CODE></P> <P>So, we see three variations - </P> <P>1) <CODE>$SPLUNK_HOME/etc/apps/YourCompany_all_indexes/default/indexes.conf</CODE><BR /> 2) <CODE>$SPLUNK_HOME/etc/apps/YourCompany_all_indexes/local/indexes.conf</CODE><BR /> 3) <CODE>$SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf</CODE></P> <P>Why is #1 the preferred way?</P> Sun, 14 Apr 2019 00:52:02 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-new-index/m-p/407224#M95331 ddrillic 2019-04-14T00:52:02Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-new-index/m-p/407225#M95332 <P>The person who <CODE>authors</CODE> the app should deploy his configurations in <CODE>default</CODE>. That way if the person who is <CODE>using</CODE> the app needs to updated/override/configure the settings to suit his situation, he can deploy his configurations in <CODE>local</CODE> to override the author's defaults. Splunk PS has the bad habit of deploying their configurations in <CODE>custom_app/local</CODE> because it suits them better to have configurations that the user cannot override because they prefer things to stay the way that they think they should be. I think that this is a mistake. In any case <STRONG>EVERYBODY</STRONG> agrees that nothing should be deployed in <CODE>$SPLUNK_HOME/etc/system/</CODE>.</P> Sun, 14 Apr 2019 05:47:38 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-new-index/m-p/407225#M95332 woodcock 2019-04-14T05:47:38Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-new-index/m-p/407226#M95333 <P>Much appreciated @woodcock , what about the <CODE>$SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf</CODE> location ?</P> Sun, 14 Apr 2019 12:31:11 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-new-index/m-p/407226#M95333 ddrillic 2019-04-14T12:31:11Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-new-index/m-p/407227#M95334 <P>That directory has the highest precedence of all, even higher than <CODE>$SPLUNK_HOME/etc/system/local/</CODE>, so is for emergencies only.</P> Sun, 14 Apr 2019 14:21:14 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-new-index/m-p/407227#M95334 woodcock 2019-04-14T14:21:14Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-new-index/m-p/407228#M95335 <P>oh oh wow - much appreciated @woodcock !!!</P> Sun, 14 Apr 2019 21:58:22 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-new-index/m-p/407228#M95335 ddrillic 2019-04-14T21:58:22Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-new-index/m-p/407229#M95336 <P>If you deploy indexes.conf via the master at /opt/splunk/etc/master-apps/_cluster/local/indexes.conf then your indexes.conf on the peer nodes (indexers) will reside at /opt/splunk/etc/slave-apps/_cluster/local/indexes.conf, not at /etc/system/local.</P> <P>In a clustered environment, I'm not a fan of deploying indexes.conf any other way, though it can be done (e.g. in a custom app).<BR /> If that app gets deleted, or you inadvertently deploy with the app directory missing, or wrong permissions, etc. then you're going to have problems.</P> <P>The /opt/splunk/etc/master-apps/_cluster/local/ is a special directory intended just for this purpose, and is documented as such:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.0.4/Indexer/Updatepeerconfigurations" target="_blank">https://docs.splunk.com/Documentation/Splunk/7.0.4/Indexer/Updatepeerconfigurations</A></P> Wed, 30 Sep 2020 00:14:31 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-new-index/m-p/407229#M95336 codebuilder 2020-09-30T00:14:31Z