Hi,

I have set up a Splunk Enterprise instance (version 8.2.1) and a Universal Forwarder instance on Docker on the same machine, and I'm trying to forward data into the Splunk indexer. Here's what I have so far:

On the Splunk Enterprise instance (1.1.1.1):

• Created an app named "abc"
• Created an index named "abc_idx" on app "abc"
• Created a sourcetype named "abc_data" on app "abc"

On the Splunk forwarder:

• Added the indexer: "./bin/splunk add forward-server 1.1.1.1:9997"
• My very next command was "./bin/splunk add monitor /splunk_forward/log"
• Then I realized I wanted the monitored logs to be added to the index "abc_idx" and using the sourcetype "abc_data", so I removed the monitor, and then restarted the container.

This is when I see the events appearing in the "main" index, so I believe the files did get forwarded.

I then ran on the Splunk forwarder:

• ./bin/splunk add monitor /splunk_forward/log -index abc_idx -sourcetype abc_data

But I did not see any event on the index "abc_idx".

However, if I run the "oneshot" command, the events show up in the index "abc_idx"

Is Splunk refusing to (re)index the same files again, even though they are going to different indexes?

Also, I thought the commands I typed would end up in "/opt/splunkforwarder/etc/system/local/inputs.conf"? But I only see "[splunktcp://9997]" in it, not the folder I'm monitoring. Am I looking at the wrong file?

However, I see the following in "/opt/splunkforwarder/etc/system/local/outputs.conf":

[tcpout:default-autolb-group]

server = 1.1.1.1:9997

[tcpout-server://1.1.1.1:9997]

So why did my indexer configuration become part of the config file? Preferably, I would like to configure the forwarder using the config files, but I'm not sure exactly which ones to modify - local/inputs.conf and anything else?

Thank you.