All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Estreamer index goes into main how to change it...

darkwall
New Member
‎06-12-2019 05:54 AM

Hi,

By default if we do nothing eStreamer eNcore data and information goes directly into the main index

How can i change that in a cluster environnement.

Thanks

0 Karma
Reply

rhoadesjon
Engager
‎06-19-2019 06:54 AM

I am not a splunk expert. I am sure there is a slicker / better way to do it but this works for me. I did this on my heavy forwarder that feeds an index cluster.

I copied this from
/opt/splunk/etc/apps/TA-eStreamer/default/inputs.conf

Where data is written to
[monitor://$SPLUNK_HOME/etc/apps/TA-eStreamer/data]
disabled = 0
source = encore
sourcetype = cisco:estreamer:data
crcSalt =

I added this to /opt/splunk/etc/apps/TA-eStreamer/local/inputs.conf to overide the default
[monitor://$SPLUNK_HOME/etc/apps/TA-eStreamer/data]
disabled = 0
source = encore
sourcetype = cisco:estreamer:data
crcSalt =
index = cisco

My cisco:estreamer:data is now going to index cisco instead of index main

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...