Getting Data In

Forwarding to a specific Index

dbutch1976
Explorer

Hello,

Here is my current syntax for installing my Splunk forwarders:

msiexec.exe /i \\fileshare.domain.local Splunkdsplunk-4.2.1-98164-x86-release.msi SPLUNK_APP="SplunkLightForwarder" FORWARD_SERVER="splunk.domain.local:9997" RBG_LOGON_INFO_USER_CONTEXT=2 IS_NET_API_LOGON_USERNAME="Domainsplunk-svc" IS_NET_API_LOGON_PASSWORD="Password1" WINEVENTLOG_APP_ENABLE=1 WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 /quiet

The result of installing the splunkforwarder using this method is that my windows hosts are forwarding events to the default splunk index. The Unix team has created a specific index just for our windows machine and I need to update the syntax to forward invents directly to an index called 'windows.' Can someone tell me what I need to change in order to accomplish this from the command line?

0 Karma

dbutch1976
Explorer

After thinking about it further I don't think that this method is ideal. Correct me if I'm wrong, but any changes to the inputs.conf file will not take effect until the splunkd service is restarted.

I'm concerned that events will go to the default index until the service restarts and the changes take affect. Are you sure that I can't modify my command line installation to make the appropriate change to the inputs.conf file? It's the same method I use to deterine which logs I'm monitoring using the switches below:

msiexec.exe /i \fileshare.domain.local Splunkdsplunk-4.2.1-98164-x86-release.msi SPLUNK_APP="SplunkLightForwarder" FORWARD_SERVER="splunk.domain.local:9997" RBG_LOGON_INFO_USER_CONTEXT=2 IS_NET_API_LOGON_USERNAME="Domainsplunk-svc" IS_NET_API_LOGON_PASSWORD="Password1" WINEVENTLOG_APP_ENABLE=1 WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 /quiet

0 Karma

hazekamp
Builder

I would actually recommend making these routing decisions on the indexer w/ the configs specified above, especially if you are not using deployment server.

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

To reload inputs without having to restart splunkd you can run the command 'splunk _internal call /services/data/inputs/monitor/_reload -auth admin:changeme' from your $SPLUNK_HOME/bin/ folder.

Just for the sake of avoiding confusion, it might be better to edit your initial answers vs adding new ones.

dbutch1976
Explorer

Could you confirm that the file I need to modify in order to make this change is:

C:\Program Files\Splunk\etc\apps\SplunkLightForwarder\default\inputs.conf

Thanks.

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

you shouldn't make edits to things that exist inside of the default folder.

Changes should be made in the local folder

For details, see http://www.splunk.com/base/Documentation/latest/admin/Aboutconfigurationfiles

The configuration directory structure

The following is the configuration directory structure that exists under $SPLUNK_HOME/etc:

$SPLUNK_HOME/etc/system/default
    This contains the pre-configured configuration files. Do not modify the files in this directory.

hazekamp
Builder

dbutch,

Since you are using a light forwarder you can route data to an alternate index using the following configurations on your indexer(s).

## props.conf
[host::<your_host>]
TRANSFORMS-force_index_for_your_host = force_index_windows

## transforms.conf
[force_index_windows]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = windows

Or this could be achieved on the forwarder by using:

## inputs.conf
[default]
index = windows
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...