Just need help understanding deployment servers better and how you are able to forwarder data to a 'specific index'
My current setp:
What I am confused about is when I access the deployment server and
- select 'add data'
- I then select the available host ( and select both my UF)
- I then create a new server class called Linux UF
- I then select source /var/log
- Now I come to the option where I select the 'Index'.... This is were my confusion is as the 'test' indexes I have successfully created with the master are not showing! I just want to be able to send my var/log LOGS to the 'test' index.
Does this mean I need to manual update the inputs.conf to include index = test.
If possible could you please help list the required steps to help give me a better understanding as right now I'm confusing myself to much.
much appreciated and thank you!
Can you override the index setting on this part of the GUI?
Some older Splunk applications and I'm assuming versions did not have the option of typing an index name that was not listed on the local server.
In other words, if your deployment server does not have the index "test" then you could not select this index.
You could update your applications inputs.conf file on the file system of the deployment server (which I would recommend) or you can use a hack of creating the index configuration on the deployment server and this will allow you to select the index you wish.
If you are following the best practice then you will be creating a "dummy" index here as it will always forward data to the indexers anyway.
I have used the above hack on older applications/Splunk versions. Although I wonder if having the deployment server act as a search head (communicate with the cluster master) might also resolve this issue...