Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Do forwarders require indexes.conf?

jaoui
Path Finder
‎09-07-2011 11:30 AM

If i am setting up a heavy forwarder to monitor directories and tag indexes, do i need to create an indexes.conf on it or is specifying an index in inputs.conf sufficient?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jaoui
Path Finder
‎09-07-2011 10:51 PM

I learned that Splunk Forwarders do not necessarily need indexes.conf to tag inputs for a given index but there are 3 different scenarios:

  1. When using the configuration files there is no restriction and Splunk will forward correctly without the indexes.conf
  2. When using the CLI, splunk will complain if we try to configure inputs without a corresponding entry in indexes.conf
  3. When using the web, we will only be presented with indexes configured in indexes.conf

Hope that helps others!

View solution in original post

Reply
Solved! Jump to solution
Solution

jaoui
Path Finder
‎09-07-2011 10:51 PM

I learned that Splunk Forwarders do not necessarily need indexes.conf to tag inputs for a given index but there are 3 different scenarios:

  1. When using the configuration files there is no restriction and Splunk will forward correctly without the indexes.conf
  2. When using the CLI, splunk will complain if we try to configure inputs without a corresponding entry in indexes.conf
  3. When using the web, we will only be presented with indexes configured in indexes.conf

Hope that helps others!

Reply
Solved! Jump to solution

rroberts
Splunk Employee
Splunk Employee
‎09-07-2011 11:51 AM

If you're going to go with the defaults you do not need to setup a $SPLUNK_HOME/etc/system/local/indexes.conf. You can go with the default out-of-the-box $SPLUNK_HOME/etc/system/default/indexes.conf. You also dont need to specify an index in inputs.conf if you want to write to the default main index.

Reply
Solved! Jump to solution

MuS
Legend
‎09-08-2011 07:24 AM

Hi jaoui, no you don't need it on the forwarder

0 Karma
Reply
Solved! Jump to solution

jaoui
Path Finder
‎09-07-2011 02:18 PM

i am planning out like 10 indexes on the inputs of this heavy forwarder (it will be monitoring directories written to by syslog-ng)

if i specify the indexes in inputs.conf like:
[monitor:///data/syslog-ng/cisco]
host_segment = 4
index = net_cisco
sourcetype = cisco_syslog

do i need a corresponding entry in indexes.conf on the forwarder for net_cisco? even though the forwarder is not itself indexing data?

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top