I'm running Splunk 6.2.2 on a Windows Platform. I have 3 Windows domains and would like to send wineventlog:security to indexes named for each of the domains. I installed the Universal Forwarder on all of the domain controllers and have configured index = <domain> in the default stanza of the inputs.conf. The indexer is a standalone Windows Server. When I query Splunk for index=domain, the only source type is Active Directory, not wineventlog:security. Is this a bug in the VERSION=6.2.2 BUILD=255606?
The syntax of the statement in the stanza is index = domainname with spaces before and after the equal sign. There are no < > or " " around the name. The reference to <domain> is how Windows folks define a variable.
It appears that the event logs and performance data are being indexed in main while the active directory data is being indexed in the domain specific index created on the indexer.
This was an upgrade from 5.x to 6.2.2. The drive I have Splunk installed on only had 400 GB space. I have recently acquired 18 TB and am wanting to have the universal fowarders on the domain controllers log the data into indexes defined on the new drive. That way I can store more than say about a month of data before having to delete files.