Getting Data In

How to change auto configuration of universal forwarder?

axl88
Communicator

Hi all,
I was assigned to push a fix on forwarders since they are forwarding data with auto-naming on index and source type like audit1 or error1, index1 or index2.
I didn't install the system, so I don't know how they set it up on this way. I made research on forwarder directory and find out that:
inputs.conf is not set to any value anywhere for the applications.
only thing i found is in "\etc\apps\search\metadata\local.meta" file some lines like:

[inputs/monitor%3A%2F%2F<LOG_DISK>%3A%5C<LOG_DIRECTORY>%5C<APPLICATION_NAME>%5C<LOG_FILE>]
owner = admin
version = 6.0.1
modtime = 1391634049.125552100

my question is that I need to set up right indexes and sourcetypes for several application logs that is forwarded to same indexer.

what is the correct way of doing this? Should i just add right configuration to inputs.conf at etc/search/local or etc/system/local.

one last question: What would happen to logs that is indexed and sourcetype automatically in indexer. Are they gonna be part of new naming or I have to sacrify them for this good reason

thanks for your time and effort for even checking my question 🙂

1 Solution

strive
Influencer

Yes, you need to add right configurations to inputs.conf file to route log events to specific indexes and for setting right sourcetypes.

When you search with new index names and sourcetypes you will not get old log events that were indexed automatically.

The first step is to set right configurations in inputs.conf file of forwarder.

The file should be under etc/system/local. Suppose you have written some dedicated app to forwarder node then the inputs.conf file can be under <your app>/local/ directory

View solution in original post

strive
Influencer

Yes, you need to add right configurations to inputs.conf file to route log events to specific indexes and for setting right sourcetypes.

When you search with new index names and sourcetypes you will not get old log events that were indexed automatically.

The first step is to set right configurations in inputs.conf file of forwarder.

The file should be under etc/system/local. Suppose you have written some dedicated app to forwarder node then the inputs.conf file can be under <your app>/local/ directory

strive
Influencer

This link has the details on cleaning index data and removing indexes.
http://docs.splunk.com/Documentation/Splunk/6.1.2/Indexer/RemovedatafromSplunk

be careful while using these commands.

0 Karma

axl88
Communicator

thanks for the response, then this lead another question that is, I can start forwarding with directory instead of log file since i kept them historically. Are there any way to get rid of the old indexes and sourcetypes on indexer?

0 Karma

strive
Influencer

If you still need old data to be summarized and save those results into some summary index. Then it is possible. You can run separate searches first on this old data and store summarized data into summary index after that you can schedule your new searches to push summarized data to summary index.

If you are writing searches on raw data and want to use old data and also new data then you may have to make use of subsearches.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...