Getting Data In
Highlighted

Both universal forwarders have the same inputs.conf, but why is the index of data changing based on which machine it comes from?

Path Finder

I'm gathering data from two machines, and depending on which one it comes from, it has a different index. Both universal forwarders have the same inputs.conf which looks like

[monitor://C:\Windows\.marimba\MarimbaEndpointTuner\history-y*.log]
disabled=0
index = main
sourcetype = marimba

Can anyone think of a reason as to why they are being put in separate indexes?

0 Karma
Highlighted

Re: Both universal forwarders have the same inputs.conf, but why is the index of data changing based on which machine it comes from?

SplunkTrust
SplunkTrust

Check your indexer for transforms.conf rules that overwrite the index based on some criterion.

Highlighted

Re: Both universal forwarders have the same inputs.conf, but why is the index of data changing based on which machine it comes from?

Path Finder

Got the problem fixed. I went under \apps\learned and deleted all of the contents in each folder on the Universal Forwarders. Now, they both are coming up with an index of main. Thanks for the suggestion.

0 Karma
Highlighted

Re: Both universal forwarders have the same inputs.conf, but why is the index of data changing based on which machine it comes from?

Path Finder

Got the problem fixed. I went under appslearned and deleted all of the contents in each folder on the Universal Forwarders. Now, they both are coming up with an index of main. Thanks for the suggestion.

View solution in original post

0 Karma