Getting Data In

How to change auto configuration of universal forwarder?

Communicator

Hi all,
I was assigned to push a fix on forwarders since they are forwarding data with auto-naming on index and source type like audit1 or error1, index1 or index2.
I didn't install the system, so I don't know how they set it up on this way. I made research on forwarder directory and find out that:
inputs.conf is not set to any value anywhere for the applications.
only thing i found is in "\etc\apps\search\metadata\local.meta" file some lines like:

[inputs/monitor%3A%2F%2F<LOG_DISK>%3A%5C<LOG_DIRECTORY>%5C<APPLICATION_NAME>%5C<LOG_FILE>]
owner = admin
version = 6.0.1
modtime = 1391634049.125552100

my question is that I need to set up right indexes and sourcetypes for several application logs that is forwarded to same indexer.

what is the correct way of doing this? Should i just add right configuration to inputs.conf at etc/search/local or etc/system/local.

one last question: What would happen to logs that is indexed and sourcetype automatically in indexer. Are they gonna be part of new naming or I have to sacrify them for this good reason

thanks for your time and effort for even checking my question 🙂

1 Solution

Influencer

Yes, you need to add right configurations to inputs.conf file to route log events to specific indexes and for setting right sourcetypes.

When you search with new index names and sourcetypes you will not get old log events that were indexed automatically.

The first step is to set right configurations in inputs.conf file of forwarder.

The file should be under etc/system/local. Suppose you have written some dedicated app to forwarder node then the inputs.conf file can be under <your app>/local/ directory

View solution in original post

Influencer

Yes, you need to add right configurations to inputs.conf file to route log events to specific indexes and for setting right sourcetypes.

When you search with new index names and sourcetypes you will not get old log events that were indexed automatically.

The first step is to set right configurations in inputs.conf file of forwarder.

The file should be under etc/system/local. Suppose you have written some dedicated app to forwarder node then the inputs.conf file can be under <your app>/local/ directory

View solution in original post

Influencer

This link has the details on cleaning index data and removing indexes.
http://docs.splunk.com/Documentation/Splunk/6.1.2/Indexer/RemovedatafromSplunk

be careful while using these commands.

0 Karma

Communicator

thanks for the response, then this lead another question that is, I can start forwarding with directory instead of log file since i kept them historically. Are there any way to get rid of the old indexes and sourcetypes on indexer?

0 Karma

Influencer

If you still need old data to be summarized and save those results into some summary index. Then it is possible. You can run separate searches first on this old data and store summarized data into summary index after that you can schedule your new searches to push summarized data to summary index.

If you are writing searches on raw data and want to use old data and also new data then you may have to make use of subsearches.

0 Karma