I am rolling out SPlunk across several Windows machines and have noticed a problem. To simplify installation of Splunk I have written a script which installs Splunk quietly from the command line. Next, the script stops the service, modifys the inputs.conf file adding the following line:
Next the script starts the service. This appeared to be working correctly however I have now found that many events are being forwarded to the main index. I suspect that Splunk starts sending the events the moment it has been installed to the main index, after the service is stopped and the inputs.conf file is modified it begins sending to the correct index.
Firstly, how to I move the events that have already been forwarded into the correct index?
Second, and most important, how do I ensure that Splunk ONLY forwards events to the windows index?