- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk Add-on for Windows - indexes.conf has been ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Add-on for Windows - indexes.conf has been removed.
With the recent version of Splunk Add-on for Windows, the use of the indexes.conf has been removed.
Question i cant figure out the answer to is how the data then knows where to go from the UF to the Index...
On my endpoint UF i have the app deployed and the inputs.conf in the \local folder.
None of the stanza's have the "index=xxx" line in the config but somehow the data is makings its way to the index.
If i want to send data to a custom index how can i?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey.
It's important to read the docs before you upgrade. They actually mentioned the intentions in their release notes if I remember correctly.
Usually you will have a single index.conf for your indexers which will include all of your index definitions altogether. Splitting this into several apps isn't really manageable. An app should not define an index for you.
Skalli
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I realise that, but in an app inputs.conf you would typically designate where the data goes (into what index)
e.g.
On the UF (windows application server)...
[WinEventLog://Application]
disabled = 1
start_from = oldest
current_only = 0
index = winevents
Now the inputs.conf files do not have the index line in the stanza so how does the app know what index to send specific data to?
How does the Windows_TA app know to send [WinEventLog://Application] data to the winevent index?
[WinEventLog://Application]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml = false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please read the docs. It's all there. 🙂
https://docs.splunk.com/Documentation/WindowsAddOn/6.0.0/User/Upgrade#Migrate_from_the_Splunk_Add-on...
Skalli
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The indexes.conf file was removed in the Splunk Add-on for Windows version 5.0.x along with the index= parameter from all stanzas in inputs.conf, wmi.conf, and eventgen.conf.
If you miss the following steps, your Splunk platform will not have index configurations. This can result in data loss.
If you were using indexes.conf or any custom index to store your data in an earlier version of the Splunk Add-on for Windows, copy or create the windows, wineventlog, and perfmon stanzas from the indexes.conf, inputs.conf, wmi.conf, and eventgen.conf files in your existing Splunk Add-on for Windows v4.8.4 /Splunk_TA_Windows/default/ folder to the /Splunk_TA_Windows/local/ folder. Otherwise, any data collected will go to the default main index.
When you forward data from a Windows server using the Splunk Add-on for Windows, the indexer you send the events to must also have these indexes present. Install the add-on onto the indexer, and create a new indexes.conf file in the /Splunk_TA_Windows/local/ directory. After creating the indexes, specify these indexes in inputs.conf in the /Splunk_TA_Windows/local/ directory.*
Why did Splunk do this?
What were their intentions?
Now all data gets sent to the main index 😕 **rolleyes
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
