Forwarder data going to main index

m314219 · ‎06-03-2017

I setup the Universal Forwarder on several Windows servers and pointed it towards my Splunk instance.

After installing the forwarder, I went to Splunk web > Add Data > Forward > Event Logs and selected the 'WindowsServer' server class that I had setup and selected my index called 'windows'.

However, despite the 'windows' index being set, all of the data coming from my universal forwarders is going into my 'main' index.

How can I correct this?

rphillips_splk · ‎06-04-2017

@m314219 The btool output on inputs.conf will show your configured inputs. If there is no 'index=' attribute defined, then the events will go to the default index 'main'. You can edit inputs.conf directly such as:

inputs.conf (forwarder)

[WinEventLog://<name>]
index = windows

restart splunk after making the config change

note: make sure you've configured the 'windows' index on the indexers in indexes.conf

ddrillic · ‎06-04-2017

A similar issue at Why my data go in the wrong Index ?

rphillips_splk · ‎06-04-2017

@m314219 can you run the following from cli on your forwarder and attach the results, pointing out which input is in question.

from $SPLUNK_HOME\bin

.\splunk btool inputs list --debug > inputs.txt

Forwarder data going to main index

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation

Forwarder data going to main index

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience