Forwarder data going to main index

m314219 · ‎06-03-2017

I setup the Universal Forwarder on several Windows servers and pointed it towards my Splunk instance.

After installing the forwarder, I went to Splunk web > Add Data > Forward > Event Logs and selected the 'WindowsServer' server class that I had setup and selected my index called 'windows'.

However, despite the 'windows' index being set, all of the data coming from my universal forwarders is going into my 'main' index.

How can I correct this?

rphillips_splk · ‎06-04-2017

@m314219 The btool output on inputs.conf will show your configured inputs. If there is no 'index=' attribute defined, then the events will go to the default index 'main'. You can edit inputs.conf directly such as:

inputs.conf (forwarder)

[WinEventLog://<name>]
index = windows

restart splunk after making the config change

note: make sure you've configured the 'windows' index on the indexers in indexes.conf

ddrillic · ‎06-04-2017

A similar issue at Why my data go in the wrong Index ?

rphillips_splk · ‎06-04-2017

@m314219 can you run the following from cli on your forwarder and attach the results, pointing out which input is in question.

from $SPLUNK_HOME\bin

.\splunk btool inputs list --debug > inputs.txt

Forwarder data going to main index

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

Forwarder data going to main index

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...