https://community.splunk.com/t5/Knowledge-Management/Tag-data-on-universal-forwarder/m-p/111444#M1131 <P>On your forwarder</P> <P>inputs.conf</P> <PRE><CODE>[monitor://your stuff to monitor] sourcetype = blah index = bleh + other inputs settings </CODE></PRE> <P>Just make sure that the index <CODE>bleh</CODE> exists in your indexer before you start sending events.</P> <P>/K</P> Wed, 02 Apr 2014 13:12:50 GMT kristian_kolb 2014-04-02T13:12:50Z https://community.splunk.com/t5/Knowledge-Management/Tag-data-on-universal-forwarder/m-p/111439#M1126 <P>Hi! </P> <P>We are migrating from storm to self hosted splunk. </P> <P>In storm there are projects which are a nice addition to splunk capabilities in Enterprise all te forwarded data goes to the same bag. </P> <P>If we forward for example "access.log"s from different machines which serve different projects we cuold limite search and report by hosts but this is inneficient.</P> <P>Is there a way to setup forwarders to add a field which tell which project that lines come from ?</P> <P>EDIT:</P> <P>After some click'n'learn i managed to create several indexes, an several receivers. But i cannot fin the way to setup a different index per receiver por. Any data sent by the universal forwarder to any receiver goes to the main index in the splunk server</P> Fri, 28 Mar 2014 14:03:28 GMT https://community.splunk.com/t5/Knowledge-Management/Tag-data-on-universal-forwarder/m-p/111439#M1126 splunkprimeriti 2014-03-28T14:03:28Z https://community.splunk.com/t5/Knowledge-Management/Tag-data-on-universal-forwarder/m-p/111440#M1127 <P>Are you possibly looking for separate indexes per "project"? Those come with role-based permissions out of the box.</P> Fri, 28 Mar 2014 17:38:28 GMT https://community.splunk.com/t5/Knowledge-Management/Tag-data-on-universal-forwarder/m-p/111440#M1127 martin_mueller 2014-03-28T17:38:28Z https://community.splunk.com/t5/Knowledge-Management/Tag-data-on-universal-forwarder/m-p/111441#M1128 <P>@martin_muller perhaps. I'm n00b with the enterprisei flavor of splunk. We have one license for three related projects and want to do searches only on one of 'em at a time. I was loking for a way to do "* project=foobar" But if is there another way to achieve it will suffice</P> Mon, 31 Mar 2014 13:57:16 GMT https://community.splunk.com/t5/Knowledge-Management/Tag-data-on-universal-forwarder/m-p/111441#M1128 splunkprimeriti 2014-03-31T13:57:16Z https://community.splunk.com/t5/Knowledge-Management/Tag-data-on-universal-forwarder/m-p/111442#M1129 <P>hi @martin_mueller seems that you are right I need separate indexes per project, but I can not achieve it.</P> Wed, 02 Apr 2014 09:48:14 GMT https://community.splunk.com/t5/Knowledge-Management/Tag-data-on-universal-forwarder/m-p/111442#M1129 splunkprimeriti 2014-04-02T09:48:14Z https://community.splunk.com/t5/Knowledge-Management/Tag-data-on-universal-forwarder/m-p/111443#M1130 <P>How so?</P> <P>You can define new indexes in indexes.conf (or through the UI) on your indexer(s), and define the <CODE>index</CODE> key in inputs.conf on your forwarders.</P> Wed, 02 Apr 2014 09:52:01 GMT https://community.splunk.com/t5/Knowledge-Management/Tag-data-on-universal-forwarder/m-p/111443#M1130 martin_mueller 2014-04-02T09:52:01Z https://community.splunk.com/t5/Knowledge-Management/Tag-data-on-universal-forwarder/m-p/111444#M1131 <P>On your forwarder</P> <P>inputs.conf</P> <PRE><CODE>[monitor://your stuff to monitor] sourcetype = blah index = bleh + other inputs settings </CODE></PRE> <P>Just make sure that the index <CODE>bleh</CODE> exists in your indexer before you start sending events.</P> <P>/K</P> Wed, 02 Apr 2014 13:12:50 GMT https://community.splunk.com/t5/Knowledge-Management/Tag-data-on-universal-forwarder/m-p/111444#M1131 kristian_kolb 2014-04-02T13:12:50Z