Hello,
Here is my current syntax for installing my Splunk forwarders:
msiexec.exe /i \\fileshare.domain.local Splunkdsplunk-4.2.1-98164-x86-release.msi SPLUNK_APP="SplunkLightForwarder" FORWARD_SERVER="splunk.domain.local:9997" RBG_LOGON_INFO_USER_CONTEXT=2 IS_NET_API_LOGON_USERNAME="Domainsplunk-svc" IS_NET_API_LOGON_PASSWORD="Password1" WINEVENTLOG_APP_ENABLE=1 WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 /quiet
The result of installing the splunkforwarder using this method is that my windows hosts are forwarding events to the default splunk index. The Unix team has created a specific index just for our windows machine and I need to update the syntax to forward invents directly to an index called 'windows.' Can someone tell me what I need to change in order to accomplish this from the command line?
After thinking about it further I don't think that this method is ideal. Correct me if I'm wrong, but any changes to the inputs.conf file will not take effect until the splunkd service is restarted.
I'm concerned that events will go to the default index until the service restarts and the changes take affect. Are you sure that I can't modify my command line installation to make the appropriate change to the inputs.conf file? It's the same method I use to deterine which logs I'm monitoring using the switches below:
msiexec.exe /i \fileshare.domain.local Splunkdsplunk-4.2.1-98164-x86-release.msi SPLUNK_APP="SplunkLightForwarder" FORWARD_SERVER="splunk.domain.local:9997" RBG_LOGON_INFO_USER_CONTEXT=2 IS_NET_API_LOGON_USERNAME="Domainsplunk-svc" IS_NET_API_LOGON_PASSWORD="Password1" WINEVENTLOG_APP_ENABLE=1 WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 /quiet
I would actually recommend making these routing decisions on the indexer w/ the configs specified above, especially if you are not using deployment server.
To reload inputs without having to restart splunkd you can run the command 'splunk _internal call /services/data/inputs/monitor/_reload -auth admin:changeme' from your $SPLUNK_HOME/bin/ folder.
Just for the sake of avoiding confusion, it might be better to edit your initial answers vs adding new ones.
Could you confirm that the file I need to modify in order to make this change is:
C:\Program Files\Splunk\etc\apps\SplunkLightForwarder\default\inputs.conf
Thanks.
you shouldn't make edits to things that exist inside of the default folder.
Changes should be made in the local folder
For details, see http://www.splunk.com/base/Documentation/latest/admin/Aboutconfigurationfiles
The configuration directory structure
The following is the configuration directory structure that exists under $SPLUNK_HOME/etc:
$SPLUNK_HOME/etc/system/default
This contains the pre-configured configuration files. Do not modify the files in this directory.
dbutch,
Since you are using a light forwarder you can route data to an alternate index using the following configurations on your indexer(s).
## props.conf
[host::<your_host>]
TRANSFORMS-force_index_for_your_host = force_index_windows
## transforms.conf
[force_index_windows]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = windows
Or this could be achieved on the forwarder by using:
## inputs.conf
[default]
index = windows