Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Do forwarders require indexes.conf?

jaoui
Path Finder
‎09-07-2011 11:30 AM

If i am setting up a heavy forwarder to monitor directories and tag indexes, do i need to create an indexes.conf on it or is specifying an index in inputs.conf sufficient?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jaoui
Path Finder
‎09-07-2011 10:51 PM

I learned that Splunk Forwarders do not necessarily need indexes.conf to tag inputs for a given index but there are 3 different scenarios:

  1. When using the configuration files there is no restriction and Splunk will forward correctly without the indexes.conf
  2. When using the CLI, splunk will complain if we try to configure inputs without a corresponding entry in indexes.conf
  3. When using the web, we will only be presented with indexes configured in indexes.conf

Hope that helps others!

View solution in original post

Reply
Solved! Jump to solution
Solution

jaoui
Path Finder
‎09-07-2011 10:51 PM

I learned that Splunk Forwarders do not necessarily need indexes.conf to tag inputs for a given index but there are 3 different scenarios:

  1. When using the configuration files there is no restriction and Splunk will forward correctly without the indexes.conf
  2. When using the CLI, splunk will complain if we try to configure inputs without a corresponding entry in indexes.conf
  3. When using the web, we will only be presented with indexes configured in indexes.conf

Hope that helps others!

Reply
Solved! Jump to solution

rroberts
Splunk Employee
Splunk Employee
‎09-07-2011 11:51 AM

If you're going to go with the defaults you do not need to setup a $SPLUNK_HOME/etc/system/local/indexes.conf. You can go with the default out-of-the-box $SPLUNK_HOME/etc/system/default/indexes.conf. You also dont need to specify an index in inputs.conf if you want to write to the default main index.

Reply
Solved! Jump to solution

MuS
Legend
‎09-08-2011 07:24 AM

Hi jaoui, no you don't need it on the forwarder

0 Karma
Reply
Solved! Jump to solution

jaoui
Path Finder
‎09-07-2011 02:18 PM

i am planning out like 10 indexes on the inputs of this heavy forwarder (it will be monitoring directories written to by syslog-ng)

if i specify the indexes in inputs.conf like:
[monitor:///data/syslog-ng/cisco]
host_segment = 4
index = net_cisco
sourcetype = cisco_syslog

do i need a corresponding entry in indexes.conf on the forwarder for net_cisco? even though the forwarder is not itself indexing data?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...