On your indexer you need to create an index using the
Once the index is defined there, you need to reference it inside of the
inputs.conf on your syslog server like this:
I am unable to find the indexes.conf under /opt/splunk/etc/system/local I wonder if I need to need to create one? if that doesn't exist?
Also, on my syslog my current inputs.conf looks like below with the default installation.
host = SP-FWDR
Do I need to reference each index inside the inputs.conf whatever I need to be in a separate indexes? how about the rest of the events will it go to the main?
No, do not put your stuff in
/opt/splunk/etc/system/local. Create your own app on your indexers in
/opt/splunk/etc/apps/YourCompany_all_indexes/default/indexes.conf. Yes, you reference that index name inside of
inputs.conf on your syslog server. If you do not specify any index name, then by default, your events will go to
main. If you specify and index name/value that does not exist, then the events will go nowhere and get dropped (logging
Received event for unconfigured/disabled/deleted in
index=_internal ), unless you have defined a
lastChanceIndex on your indexers.
Sorry for jumping in @woodcock - we put our indexes under
$SPLUNK_HOME/etc/apps/YourCompany_all_indexes/local/indexes.conf (local versus your recommendation of default).
In the past, on an older platform, we placed the indexes under -
So, we see three variations -
Why is #1 the preferred way?
The person who
authors the app should deploy his configurations in
default. That way if the person who is
using the app needs to updated/override/configure the settings to suit his situation, he can deploy his configurations in
local to override the author's defaults. Splunk PS has the bad habit of deploying their configurations in
custom_app/local because it suits them better to have configurations that the user cannot override because they prefer things to stay the way that they think they should be. I think that this is a mistake. In any case EVERYBODY agrees that nothing should be deployed in
If you deploy indexes.conf via the master at /opt/splunk/etc/master-apps/cluster/local/indexes.conf then your indexes.conf on the peer nodes (indexers) will reside at /opt/splunk/etc/slave-apps/cluster/local/indexes.conf, not at /etc/system/local.
In a clustered environment, I'm not a fan of deploying indexes.conf any other way, though it can be done (e.g. in a custom app).
If that app gets deleted, or you inadvertently deploy with the app directory missing, or wrong permissions, etc. then you're going to have problems.
The /opt/splunk/etc/master-apps/_cluster/local/ is a special directory intended just for this purpose, and is documented as such: