The environment is working well, since we have already had some indexes created there, and running as expected. I just want to add another new index with new data.
Here is what I did:
1. create a new index(named: newindex) from search head web page. settings-->Indexes--> New Index
2. from heavy forwarder server, ..../etc/apps/search/local/inputs.conf, added:
[monitor://D:\filepath\filename*]
disable=0
host=a_new_hostname
index=newindex
sourcetype=a_old_sourcetype
copy the log files to path: D:\filepath\
restart splunk on heavy forwarder
After these steps, I could not get any data from search query(like using: index=newindex). By the way, I even couldn't find the index from indexer server web page(settings-->indexes).
Did I miss something? Please advise. Thanks.
You have to create a new Index on the machine your forwarders send the data to.
Try to add a new index by using the WebUI from your Indexer(s) or by configuring indexes.conf on all your indexer.
I hope it works for you!
You have to create a new Index on the machine your forwarders send the data to.
Try to add a new index by using the WebUI from your Indexer(s) or by configuring indexes.conf on all your indexer.
I hope it works for you!
Thanks for your help. it's working now.