All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Add-on for Microsoft Windows: How do I specify which index to send data to?

andrewtrobec
Motivator
‎05-19-2022 11:00 AM

Hello,

I've just installed the Splunk Add-on for Microsoft Windows and I will be collecting data from UFs that forward first to a HF and then to an indexing cluster.  The app will be deployed to multiple UFs via deployment server.  I only want to collect data from the machines that the UFs are installed on.

I see that there is no way to specify within inputs.conf which index to send the data to.  I've read the documentation but I still don't understand how.  I've even found this post which discusses the same topic but doesn't really provide me with an answer that I understand (sends me to documentation for older version of the add-on).

Could somebody please give me a push in the right direction?

Thank you and best regards,

Andrew

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-19-2022 11:44 AM

Specify the destination index in inputs.conf.  Simply insert a new line in the appropriate stanza with index = followed by the name of index.  See the examples at https://docs.splunk.com/Documentation/WindowsAddOn/8.1.2/User/Configuration#Configure_inputs.conf

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

andrewtrobec
Motivator
‎05-19-2022 01:28 PM

@richgalloway thank you so much, I don't know how I didn't figure that out.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-19-2022 11:44 AM

Specify the destination index in inputs.conf.  Simply insert a new line in the appropriate stanza with index = followed by the name of index.  See the examples at https://docs.splunk.com/Documentation/WindowsAddOn/8.1.2/User/Configuration#Configure_inputs.conf

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

rosez2
Engager
‎11-13-2023 02:12 PM

This worked for me when I was testing on a personal Windows laptop, but the official system I use is 2015 Windows 10 Pro, which is much older. I had to download an older 7.2.10 version of Splunk Universal Forwarder for it to even download. The logs are  being forwarded, but when I add the index line, nothing changes and the search for that index comes up empty. Could this be due to using an older universal forwarder version? Is there a different way to assign an index?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-14-2023 05:16 AM

This thread is over a year old with an accepted solution so the better way to get a response is to post a new question.

The old version s of Universal Forwarder support index names in inputs.conf exactly the same as newer versions.  The index must exist on the indexers, of course, and you must have access to it.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

rosez2
Engager
‎11-27-2023 02:28 PM

I have the index in both the inputs.conf stanza, and I also added it to the Splunk Enterprise list of indexes. I don't understand why it worked on my Windows 10 Enterprise and my Kali Linux machines (for Kali I configured through command line), but not Windows 10 2015. I am sure that my steps for Windows 10 2015 and Windows 10 Enterprise are the exact same.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-27-2023 04:49 PM

There might be several things wrong, not the destination index configuration. As @richgalloway already said - please create a new thread describing your configuration and problem. The problem in this thread has already been resolved. Let's keep the Answers nice and tidy 🙂

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...