Getting Data In

Change the INDEX for the data received from Splunk Forwarder

klkumar10
Explorer

I have Splunk (4.1.2) with Search / Indexer running on Redhat Linux. And I installed Splunk (4.1.2) as forwarder on a windows server.

From the windows Splunk forwarder I am collecting Windows Remote Logs using WMI and forwarding them to my Splunk Instance running on Linux.

By default, all the WMI data collected is going to "main" index. I created an index called windows on the main splunk instance on Linux. I want all the data coming from the windows forwarder to go to index "windows"

Can someone help me in configuring the same?

Tags (2)
0 Karma
1 Solution

Simeon
Splunk Employee
Splunk Employee

When the data leaves the forwarder it can be labeled with the other index you want to send to. There are two steps that need to occur:

1 - Create the index on the Splunk indexer. You can do this via the GUI and you will need to restart Splunk for the index to be created.

2 - Modify the WMI input settings on the Forwarder to use the windows index. To do this, find the input setting for your WMI input (likely in $SPLUNK_HOME/etc/apps/windows/default) and set the index value to windows. Typically, you can just edit your inputs.conf file and add a "index=windows" line under your WMI input:

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.py]
index=windows

View solution in original post

Simeon
Splunk Employee
Splunk Employee

When the data leaves the forwarder it can be labeled with the other index you want to send to. There are two steps that need to occur:

1 - Create the index on the Splunk indexer. You can do this via the GUI and you will need to restart Splunk for the index to be created.

2 - Modify the WMI input settings on the Forwarder to use the windows index. To do this, find the input setting for your WMI input (likely in $SPLUNK_HOME/etc/apps/windows/default) and set the index value to windows. Typically, you can just edit your inputs.conf file and add a "index=windows" line under your WMI input:

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.py]
index=windows

gopala
New Member

Hi, Question for Simeon.
I have tried to configure the script thing and it doesnt work. I might be missing something or doing something wrong.
Also in our forwarder the path/script names are slightly different:

C:\Program Files\SplunkUniversalForwarder\etc\apps*Splunk_TA_windows*\default\inputs.conf

C:\Program Files\SplunkUniversalForwarder\bin\scripts*splunk-wmi.path*

splunk-wmi.path is actually not a python script but a file which content is just the text :
$SPLUNK_HOME\bin\splunk-wmi.exe

Maybe we need to modify a different inputs.conf ? this type of file is everywhere inside the $splunkhome
The exact modification we need to do is to write just "RIGHT" under the label ###### Scripted Input (See also wmi.conf):
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.py]
index=windows

Is this correct ? including all thebrackets <a href="... etc... ? Im totally lost

...So the win forwarded logs arrive to the main index which is something that we dont want.
On the other hand we dont want to change the main index to be our windows index. We would like to keep everything on its proper place.
Any hints ?">

0 Karma

krusty
Contributor

Hi,

is it possible to use different indexes on the main splunk server? For example I have 2 fileserver in our windows environment and many other windows server. The event data of the fileserver should be stored at "index_fileserver" and the other event data of the other windows server should be stored at "index_windows". How can I configure this on the windows forwarder?

Thanks

0 Karma

klkumar10
Explorer

Thanks for the solution.

But instead of adding the script option, I made the default index to windows in inputs.conf

$SPLUNK_HOME/etc/apps/windows/local/inputs.conf

[default]
index = windows

And then restarted splunk, it works.

Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...