Deployment Architecture

unable to Send access.log events to the web index. Hosts should be www1, www2, www3

smdasim
Explorer

Hi ,

I have created indexer{2 indexers] in AWS environment with 2 fowarder and 1 search heads. If I create indexes on a search head/indexers using GUI will the configuration as shown below.
I am not able to send access.log from /opt/log/www*/access.log to web index ,please advice how can i fix it.
However if it put to main index it works but not to any other newly created index .

Configuration

Search Head
——-------------

deployment apps

/opt/splunk/etc/deployment-apps
[root@ip-172-31-19-169 deployment-apps]# ls -plrt
total 8
-r--r--r-- 1 506 506 307 Jul 10 03:26 README
drwx------ 4 root root 4096 Aug 17 11:06 _server_app_eng_webservers/
[root@ip-172-31-19-169 deployment-ap

/opt/splunk/etc/deployment-apps/_server_app_eng_webservers/local/

Inputs.conf

[root@ip-172-31-19-169 local]# cat inputs.conf
[monitor:///opt/log]
blacklist = secure.log
disabled = false
index = web
sourcetype = access_combined_wcookie
whitelist = www*
[root@ip-172-31-19-169 local]#

IDX
——

[root@ip-172-31-29-204 etc]# cat ./apps/search/local/indexes.conf
[web]
coldPath = $SPLUNK_DB/web/colddb
coldToFrozenDir = /opt/fozen/web
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB/web/db
maxDataSize = 300
maxTotalDataSizeMB = 6000
thawedPath = $SPLUNK_DB/web/thaweddb
[root@ip-172-31-29-204 etc]
——

FWD
——
[root@ip-172-31-17-211 www1]# pwd
/opt/log/www1
-rw-r--r-- 1 root root 315210 Aug 17 05:21 access.log
[root@ip-172-31-17-211 www1]#
——

regards
smdasim

Tags (1)
0 Karma

smdasim
Explorer

Solution :Create indexes and give user roles on search head and indexers as shown below

https://developers.perfectomobile.com/display/TT/Splunk+-+Creating+your+Index

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

When you say you created the index through the GUI, do you mean on the search head only? Or did you go into the GUI on the indexers as well? You will need to create the index on the indexers or push that out in the indexes.conf in your deployment app.

0 Karma

smdasim
Explorer

Kmorris,
I created indexes through GUI from both search head and Indexer . Can you please let me know why this is not wokring and which is best way to accomplish this task for creating indexs and verifiying it is confgured properly.

regards
smdasim

0 Karma

smdasim
Explorer

Please find set up details below

SEARCHHEAD(DS) ---> INDEXR1 <------- FWD1 (/opt/log/www1/access.log)
SEARCHHEAD(DS) ---> INDEXER2 <-------FWD2

note :DS=DEPLOYMENT SERVER and SEARCH HEAD ON SAME MACHINE it is only one.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...