Getting Data In

How can I forward to a specific custom index?

MU_IT
New Member

I would like to aggregate data from my NPS servers for helpdesk/support use. I have set up a custom index on each server, and I can pull up data with searches on each inside these indexes. How would I forward just the data in a custom index to my central splunk server?

I hope to set up a search on my central server for "NPS Login Failures" and the like against index="NPS_LOGS".

I am 100% windows, using 4.1.2 on all systems.

Thanks.

Tags (2)
0 Karma

Mick
Splunk Employee
Splunk Employee

If it's the case that you want to index some data locally and forward other data to another indexer, then you want to route the data using the instructions here.

Alternatively, you can just index the data on your local instance as well as your remote instance, by specifying your custom index in the appropriate index in inputs.conf and then using indexAndForward = true in outputs.conf.

Whatever your requirements are, there will likely be some data-routing work involved if you want to have different data available in different instances.

A much simpler alternative is just put your data into a custom index on your main indexer, and then restrict the relevant users to only having search privileges on that index. You can then provide access locally on that instance, or use a remote instance to distribute searches

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...