- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: unable to Send access.log events to the web in...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
unable to Send access.log events to the web index. Hosts should be www1, www2, www3
Hi ,
I have created indexer{2 indexers] in AWS environment with 2 fowarder and 1 search heads. If I create indexes on a search head/indexers using GUI will the configuration as shown below.
I am not able to send access.log from /opt/log/www*/access.log to web index ,please advice how can i fix it.
However if it put to main index it works but not to any other newly created index .
Configuration
Search Head
——-------------
deployment apps
/opt/splunk/etc/deployment-apps
[root@ip-172-31-19-169 deployment-apps]# ls -plrt
total 8
-r--r--r-- 1 506 506 307 Jul 10 03:26 README
drwx------ 4 root root 4096 Aug 17 11:06 _server_app_eng_webservers/
[root@ip-172-31-19-169 deployment-ap
/opt/splunk/etc/deployment-apps/_server_app_eng_webservers/local/
Inputs.conf
[root@ip-172-31-19-169 local]# cat inputs.conf
[monitor:///opt/log]
blacklist = secure.log
disabled = false
index = web
sourcetype = access_combined_wcookie
whitelist = www*
[root@ip-172-31-19-169 local]#
IDX
——
[root@ip-172-31-29-204 etc]# cat ./apps/search/local/indexes.conf
[web]
coldPath = $SPLUNK_DB/web/colddb
coldToFrozenDir = /opt/fozen/web
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB/web/db
maxDataSize = 300
maxTotalDataSizeMB = 6000
thawedPath = $SPLUNK_DB/web/thaweddb
[root@ip-172-31-29-204 etc]
——
FWD
——
[root@ip-172-31-17-211 www1]# pwd
/opt/log/www1
-rw-r--r-- 1 root root 315210 Aug 17 05:21 access.log
[root@ip-172-31-17-211 www1]#
——
regards
smdasim
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Solution :Create indexes and give user roles on search head and indexers as shown below
https://developers.perfectomobile.com/display/TT/Splunk+-+Creating+your+Index
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you say you created the index through the GUI, do you mean on the search head only? Or did you go into the GUI on the indexers as well? You will need to create the index on the indexers or push that out in the indexes.conf in your deployment app.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kmorris,
I created indexes through GUI from both search head and Indexer . Can you please let me know why this is not wokring and which is best way to accomplish this task for creating indexs and verifiying it is confgured properly.
regards
smdasim
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please find set up details below
SEARCHHEAD(DS) ---> INDEXR1 <------- FWD1 (/opt/log/www1/access.log)
SEARCHHEAD(DS) ---> INDEXER2 <-------FWD2
note :DS=DEPLOYMENT SERVER and SEARCH HEAD ON SAME MACHINE it is only one.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
