Deployment Architecture

unable to Send access.log events to the web index. Hosts should be www1, www2, www3

smdasim
Explorer

Hi ,

I have created indexer{2 indexers] in AWS environment with 2 fowarder and 1 search heads. If I create indexes on a search head/indexers using GUI will the configuration as shown below.
I am not able to send access.log from /opt/log/www*/access.log to web index ,please advice how can i fix it.
However if it put to main index it works but not to any other newly created index .

Configuration

Search Head
——-------------

deployment apps

/opt/splunk/etc/deployment-apps
[root@ip-172-31-19-169 deployment-apps]# ls -plrt
total 8
-r--r--r-- 1 506 506 307 Jul 10 03:26 README
drwx------ 4 root root 4096 Aug 17 11:06 _server_app_eng_webservers/
[root@ip-172-31-19-169 deployment-ap

/opt/splunk/etc/deployment-apps/_server_app_eng_webservers/local/

Inputs.conf

[root@ip-172-31-19-169 local]# cat inputs.conf
[monitor:///opt/log]
blacklist = secure.log
disabled = false
index = web
sourcetype = access_combined_wcookie
whitelist = www*
[root@ip-172-31-19-169 local]#

IDX
——

[root@ip-172-31-29-204 etc]# cat ./apps/search/local/indexes.conf
[web]
coldPath = $SPLUNK_DB/web/colddb
coldToFrozenDir = /opt/fozen/web
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB/web/db
maxDataSize = 300
maxTotalDataSizeMB = 6000
thawedPath = $SPLUNK_DB/web/thaweddb
[root@ip-172-31-29-204 etc]
——

FWD
——
[root@ip-172-31-17-211 www1]# pwd
/opt/log/www1
-rw-r--r-- 1 root root 315210 Aug 17 05:21 access.log
[root@ip-172-31-17-211 www1]#
——

regards
smdasim

Tags (1)
0 Karma

smdasim
Explorer

Solution :Create indexes and give user roles on search head and indexers as shown below

https://developers.perfectomobile.com/display/TT/Splunk+-+Creating+your+Index

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

When you say you created the index through the GUI, do you mean on the search head only? Or did you go into the GUI on the indexers as well? You will need to create the index on the indexers or push that out in the indexes.conf in your deployment app.

0 Karma

smdasim
Explorer

Kmorris,
I created indexes through GUI from both search head and Indexer . Can you please let me know why this is not wokring and which is best way to accomplish this task for creating indexs and verifiying it is confgured properly.

regards
smdasim

0 Karma

smdasim
Explorer

Please find set up details below

SEARCHHEAD(DS) ---> INDEXR1 <------- FWD1 (/opt/log/www1/access.log)
SEARCHHEAD(DS) ---> INDEXER2 <-------FWD2

note :DS=DEPLOYMENT SERVER and SEARCH HEAD ON SAME MACHINE it is only one.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...