Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Do forwarders require indexes.conf?

jaoui
Path Finder
‎09-07-2011 11:30 AM

If i am setting up a heavy forwarder to monitor directories and tag indexes, do i need to create an indexes.conf on it or is specifying an index in inputs.conf sufficient?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jaoui
Path Finder
‎09-07-2011 10:51 PM

I learned that Splunk Forwarders do not necessarily need indexes.conf to tag inputs for a given index but there are 3 different scenarios:

  1. When using the configuration files there is no restriction and Splunk will forward correctly without the indexes.conf
  2. When using the CLI, splunk will complain if we try to configure inputs without a corresponding entry in indexes.conf
  3. When using the web, we will only be presented with indexes configured in indexes.conf

Hope that helps others!

View solution in original post

Reply
Solved! Jump to solution
Solution

jaoui
Path Finder
‎09-07-2011 10:51 PM

I learned that Splunk Forwarders do not necessarily need indexes.conf to tag inputs for a given index but there are 3 different scenarios:

  1. When using the configuration files there is no restriction and Splunk will forward correctly without the indexes.conf
  2. When using the CLI, splunk will complain if we try to configure inputs without a corresponding entry in indexes.conf
  3. When using the web, we will only be presented with indexes configured in indexes.conf

Hope that helps others!

Reply
Solved! Jump to solution

rroberts
Splunk Employee
Splunk Employee
‎09-07-2011 11:51 AM

If you're going to go with the defaults you do not need to setup a $SPLUNK_HOME/etc/system/local/indexes.conf. You can go with the default out-of-the-box $SPLUNK_HOME/etc/system/default/indexes.conf. You also dont need to specify an index in inputs.conf if you want to write to the default main index.

Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎09-08-2011 07:24 AM

Hi jaoui, no you don't need it on the forwarder

0 Karma
Reply
Solved! Jump to solution

jaoui
Path Finder
‎09-07-2011 02:18 PM

i am planning out like 10 indexes on the inputs of this heavy forwarder (it will be monitoring directories written to by syslog-ng)

if i specify the indexes in inputs.conf like:
[monitor:///data/syslog-ng/cisco]
host_segment = 4
index = net_cisco
sourcetype = cisco_syslog

do i need a corresponding entry in indexes.conf on the forwarder for net_cisco? even though the forwarder is not itself indexing data?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...