Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Do forwarders require indexes.conf?

jaoui
Path Finder
‎09-07-2011 11:30 AM

If i am setting up a heavy forwarder to monitor directories and tag indexes, do i need to create an indexes.conf on it or is specifying an index in inputs.conf sufficient?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jaoui
Path Finder
‎09-07-2011 10:51 PM

I learned that Splunk Forwarders do not necessarily need indexes.conf to tag inputs for a given index but there are 3 different scenarios:

  1. When using the configuration files there is no restriction and Splunk will forward correctly without the indexes.conf
  2. When using the CLI, splunk will complain if we try to configure inputs without a corresponding entry in indexes.conf
  3. When using the web, we will only be presented with indexes configured in indexes.conf

Hope that helps others!

View solution in original post

Reply
Solved! Jump to solution
Solution

jaoui
Path Finder
‎09-07-2011 10:51 PM

I learned that Splunk Forwarders do not necessarily need indexes.conf to tag inputs for a given index but there are 3 different scenarios:

  1. When using the configuration files there is no restriction and Splunk will forward correctly without the indexes.conf
  2. When using the CLI, splunk will complain if we try to configure inputs without a corresponding entry in indexes.conf
  3. When using the web, we will only be presented with indexes configured in indexes.conf

Hope that helps others!

View solution in original post

Reply
Solved! Jump to solution

rroberts
Splunk Employee
Splunk Employee
‎09-07-2011 11:51 AM

If you're going to go with the defaults you do not need to setup a $SPLUNK_HOME/etc/system/local/indexes.conf. You can go with the default out-of-the-box $SPLUNK_HOME/etc/system/default/indexes.conf. You also dont need to specify an index in inputs.conf if you want to write to the default main index.

Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎09-08-2011 07:24 AM

Hi jaoui, no you don't need it on the forwarder

0 Karma
Reply
Solved! Jump to solution

jaoui
Path Finder
‎09-07-2011 02:18 PM

i am planning out like 10 indexes on the inputs of this heavy forwarder (it will be monitoring directories written to by syslog-ng)

if i specify the indexes in inputs.conf like:
[monitor:///data/syslog-ng/cisco]
host_segment = 4
index = net_cisco
sourcetype = cisco_syslog

do i need a corresponding entry in indexes.conf on the forwarder for net_cisco? even though the forwarder is not itself indexing data?

0 Karma
Reply
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!

Get Updates on the Splunk Community!