Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How do I forward data to a specific index?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I go about configuring splunk forwarders running on Linux to forward to a specific index for Linux-related information? Since my indexer is running on Windows, I ws able to easily configure Windows-specific information to a dedicated index and would like to do the same thing for Linux systems since there are different retention policies for each platform. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming you have forwarding to indexer properly configured, as mentioned by BunnyHop, you'll just need to specify the custom index for your input at the Forwarder in an inputs.conf file.
Example:
[monitor:///var/log/*.log]
index = linux
It is important to mention that you must verify that the specified custom index exists on the indexer, otherwise your events go into a blackhole (which is the non-existent custom index).
The custom index can be created with a custom indexes.conf on your indexer:
Example:
[linux]
homePath = $SPLUNK_DB/linux/db
coldPath = $SPLUNK_DB/linux/colddb
thawedPath = $SPLUNK_DB/linux/thaweddb
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming you have forwarding to indexer properly configured, as mentioned by BunnyHop, you'll just need to specify the custom index for your input at the Forwarder in an inputs.conf file.
Example:
[monitor:///var/log/*.log]
index = linux
It is important to mention that you must verify that the specified custom index exists on the indexer, otherwise your events go into a blackhole (which is the non-existent custom index).
The custom index can be created with a custom indexes.conf on your indexer:
Example:
[linux]
homePath = $SPLUNK_DB/linux/db
coldPath = $SPLUNK_DB/linux/colddb
thawedPath = $SPLUNK_DB/linux/thaweddb
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you specify them on the forwarder. You will have to configure it either from CLI or modifying the inputs.conf file.
CLI::
%SPLUNK%> splunk add monitor /path/to/your/log/ -index specific_index
Config File::
modify the %SPLUNK%\etc\system\local\inputs.conf (create it if it doesn't exist)
[monitor://fileyouremonitoring.log]
index = specific_index
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
Global Splunk User Group Events: May + June 2026
