Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Do forwarders require indexes.conf?

jaoui
Path Finder
‎09-07-2011 11:30 AM

If i am setting up a heavy forwarder to monitor directories and tag indexes, do i need to create an indexes.conf on it or is specifying an index in inputs.conf sufficient?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jaoui
Path Finder
‎09-07-2011 10:51 PM

I learned that Splunk Forwarders do not necessarily need indexes.conf to tag inputs for a given index but there are 3 different scenarios:

  1. When using the configuration files there is no restriction and Splunk will forward correctly without the indexes.conf
  2. When using the CLI, splunk will complain if we try to configure inputs without a corresponding entry in indexes.conf
  3. When using the web, we will only be presented with indexes configured in indexes.conf

Hope that helps others!

View solution in original post

Reply
Solved! Jump to solution
Solution

jaoui
Path Finder
‎09-07-2011 10:51 PM

I learned that Splunk Forwarders do not necessarily need indexes.conf to tag inputs for a given index but there are 3 different scenarios:

  1. When using the configuration files there is no restriction and Splunk will forward correctly without the indexes.conf
  2. When using the CLI, splunk will complain if we try to configure inputs without a corresponding entry in indexes.conf
  3. When using the web, we will only be presented with indexes configured in indexes.conf

Hope that helps others!

Reply
Solved! Jump to solution

rroberts
Splunk Employee
Splunk Employee
‎09-07-2011 11:51 AM

If you're going to go with the defaults you do not need to setup a $SPLUNK_HOME/etc/system/local/indexes.conf. You can go with the default out-of-the-box $SPLUNK_HOME/etc/system/default/indexes.conf. You also dont need to specify an index in inputs.conf if you want to write to the default main index.

Reply
Solved! Jump to solution

MuS
Legend
‎09-08-2011 07:24 AM

Hi jaoui, no you don't need it on the forwarder

0 Karma
Reply
Solved! Jump to solution

jaoui
Path Finder
‎09-07-2011 02:18 PM

i am planning out like 10 indexes on the inputs of this heavy forwarder (it will be monitoring directories written to by syslog-ng)

if i specify the indexes in inputs.conf like:
[monitor:///data/syslog-ng/cisco]
host_segment = 4
index = net_cisco
sourcetype = cisco_syslog

do i need a corresponding entry in indexes.conf on the forwarder for net_cisco? even though the forwarder is not itself indexing data?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top