Re: Forwarding to a specific Index

dbutch1976 · ‎05-13-2011

Hello,

Here is my current syntax for installing my Splunk forwarders:

msiexec.exe /i \\fileshare.domain.local Splunkdsplunk-4.2.1-98164-x86-release.msi SPLUNK_APP="SplunkLightForwarder" FORWARD_SERVER="splunk.domain.local:9997" RBG_LOGON_INFO_USER_CONTEXT=2 IS_NET_API_LOGON_USERNAME="Domainsplunk-svc" IS_NET_API_LOGON_PASSWORD="Password1" WINEVENTLOG_APP_ENABLE=1 WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 /quiet

The result of installing the splunkforwarder using this method is that my windows hosts are forwarding events to the default splunk index. The Unix team has created a specific index just for our windows machine and I need to update the syntax to forward invents directly to an index called 'windows.' Can someone tell me what I need to change in order to accomplish this from the command line?

dbutch1976 · ‎05-16-2011

After thinking about it further I don't think that this method is ideal. Correct me if I'm wrong, but any changes to the inputs.conf file will not take effect until the splunkd service is restarted.

I'm concerned that events will go to the default index until the service restarts and the changes take affect. Are you sure that I can't modify my command line installation to make the appropriate change to the inputs.conf file? It's the same method I use to deterine which logs I'm monitoring using the switches below:

msiexec.exe /i \fileshare.domain.local Splunkdsplunk-4.2.1-98164-x86-release.msi SPLUNK_APP="SplunkLightForwarder" FORWARD_SERVER="splunk.domain.local:9997" RBG_LOGON_INFO_USER_CONTEXT=2 IS_NET_API_LOGON_USERNAME="Domainsplunk-svc" IS_NET_API_LOGON_PASSWORD="Password1" WINEVENTLOG_APP_ENABLE=1 WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 /quiet

hazekamp · ‎05-16-2011

I would actually recommend making these routing decisions on the indexer w/ the configs specified above, especially if you are not using deployment server.

jbsplunk · ‎05-16-2011

To reload inputs without having to restart splunkd you can run the command 'splunk _internal call /services/data/inputs/monitor/_reload -auth admin:changeme' from your $SPLUNK_HOME/bin/ folder.

Just for the sake of avoiding confusion, it might be better to edit your initial answers vs adding new ones.

dbutch1976 · ‎05-16-2011

Could you confirm that the file I need to modify in order to make this change is:

C:\Program Files\Splunk\etc\apps\SplunkLightForwarder\default\inputs.conf

Thanks.

jbsplunk · ‎05-16-2011

you shouldn't make edits to things that exist inside of the default folder.

Changes should be made in the local folder

For details, see http://www.splunk.com/base/Documentation/latest/admin/Aboutconfigurationfiles

The configuration directory structure

The following is the configuration directory structure that exists under $SPLUNK_HOME/etc:

$SPLUNK_HOME/etc/system/default
    This contains the pre-configured configuration files. Do not modify the files in this directory.

hazekamp · ‎05-15-2011

dbutch,

Since you are using a light forwarder you can route data to an alternate index using the following configurations on your indexer(s).

## props.conf
[host::<your_host>]
TRANSFORMS-force_index_for_your_host = force_index_windows

## transforms.conf
[force_index_windows]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = windows

Or this could be achieved on the forwarder by using:

## inputs.conf
[default]
index = windows

Forwarding to a specific Index

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation