I have configured Windows logs input to a certain index Index_test_03, but very few data - tens - go there. Most of them - thousands - go to the Main Index, something I have not configured !
I also noticed that the index I create go for App=Launcher, not Search ! The indexes I have created before are of App=Search. I have not changed anything for this to happen
can you advise
I have a Windows 2003 box which in Settings/Add Data/Forward has been mapped to "index_test_01". I also have a Windows 2008 box which in the same is mapped to "index_test_03".
I have done no configuration in the Universal Forwarders - except Splunk server IP and two ports, the latest during install.
"index_test_01" of Win 2003 is populated, while "index_test_03" of Win 2008 gets very few data, most goes to index main.
Same config on universal forwards, same config on server - results are different.
Can anyone help ?
There are 4 possibilities:
1: Inside your new inputs.conf you left
index=Index_test_03 out of one of your stanzas.
2: You have a precedence problem where your configurations are not being used because there are configurations with
index=main somewhere else. The most likely place is in the
learned app so check there. Also make sure that your configurations are inside your app (not
$SPLUNK_HOME/etc/system/*/inputs.conf), such as
3: You have the correct configuration files but you have not deployed them to ALL of your forwarders.
4: You have done everything else correctly but you have not restarted the Splunk instance on all of your forwarders (which must be done after every change to
inputs.conf that you make while debugging this).
In any case, you should be able to sort through this by using
btool on your forwarders to list out your inputs.conf like this:
$SPLUNK_HOME/bin/splunk cmd btool inputs list --debug
I'd verify your universal forwarder configuration. For the windows event logs you are specifying in inputs.conf, you should have an "index=Index_test_03" configuration set.
The main index is the default, and if you have events showing up there it means, for those inputs, they don't have any other index specified.
How are you collecting the information? Make sure that however you define the input for the Windows logs that you specify the index in the inputs.conf file, otherwise they will go to "main".
Please use the commenting feature, instead of answering the question.
Verify that your indexes are set on the inputs.
Open an Administrative Command Prompt, and type this:
"C:\Program Files\Splunk\bin\splunk.exe cmd btool inputs list WinEventLog --debug "
Make sure that all of the Inputs have the correct index definition defined.
The problem is that most of them go to Main Index, while very few go to what I would be expecting - ie my index.
Shouldn't they go all to only one index ? why they are split ?