Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to configure forwarders to send data to specific index on Indexer?

AndreaEClark
Explorer
‎05-11-2015 01:57 PM

I'm running Splunk 6.2.2 on a Windows Platform. I have 3 Windows domains and would like to send wineventlog:security to indexes named for each of the domains. I installed the Universal Forwarder on all of the domain controllers and have configured index = <domain> in the default stanza of the inputs.conf. The indexer is a standalone Windows Server. When I query Splunk for index=domain, the only source type is Active Directory, not wineventlog:security. Is this a bug in the VERSION=6.2.2 BUILD=255606?

0 Karma
Reply

AndreaEClark
Explorer
‎05-12-2015 07:45 AM

The syntax of the statement in the stanza is index = domainname with spaces before and after the equal sign. There are no < > or " " around the name. The reference to <domain> is how Windows folks define a variable.

It appears that the event logs and performance data are being indexed in main while the active directory data is being indexed in the domain specific index created on the indexer.

This was an upgrade from 5.x to 6.2.2. The drive I have Splunk installed on only had 400 GB space. I have recently acquired 18 TB and am wanting to have the universal fowarders on the domain controllers log the data into indexes defined on the new drive. That way I can store more than say about a month of data before having to delete files.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎05-11-2015 02:42 PM

It this a typo or does your option for this inputs stanza really looks like index = <domain> ?
It should be index = domain instead.

0 Karma
Reply

ConnorG
Path Finder
‎05-11-2015 02:08 PM

Check if the events are indexed under main. That way we know the data is coming through.

There's also more locations that inputs.confs can reside. Look into the etc\apps\ directory. Most of my forwarders use the Splunk_TA_windows app for a lot of my windows log monitoring.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...