How to configure the Splunk universal forwarders o...

TrueMex · ‎06-08-2018

Hi All, i am trying to configure the splunk universal forwarders on a windows machine to send to an index that isnt main. I attempted to set index=windows_index in the inputs.comf file in $splunk/etc/system/local/. when i set the index there, and restart the forwarder no logs get to splunk. when removed and restarted again, logs all pour in.

Is this config setting something to be set in the forwarders?

Bakkar · ‎03-16-2021

Updated inputs.conf file from path "C:\Program Files\SplunkUniversalForwarder\etc\system\default"

[monitor://$SPLUNK_HOME\var\log\splunk]

index =<Your Indexname>

[monitor://$SPLUNK_HOME\var\log\watchdog\watchdog.log*]

index =<Your Indexname>

Hope this helps

woodcock · ‎01-25-2019

You need to make sure that you have windows_index defined in indexes.conf on your indexers.

bogdan_nicolesc · ‎01-25-2019

Hi all,

I was about to ask the same question.

So let me get this clear ....

In file inputs.conf from Program Files\Splunk\etc\system\local you need to type in what to index to use on the indexer server ... ??

And on the server side you need to create an index with the name put in the inputs.conf .... right?

This inputs.conf can't be from Splunk Universal Forwarder? It has to be from splunk folder?

Can anyone can give me an example of a inputs.conf that collects win security log and send it to an index called win_sec on a server so called 192.168.1.1:9997

I have some ideas how it should look but i'm lost in commands .....

Thank you,
Bogdan.

woodcock · ‎01-25-2019

No.
On the forwarder you use inputs.conf and tell it what index value will store the data that you are sending.
On the indexers you need to create that matching index with indexes.conf.

raghu0463 · ‎06-08-2018

I think you need to login as Admin for editing inputs.conf file on forwarder system. i.e open the .txt file as run as administrator.

HiwaKarimi · ‎02-11-2022

I did like this in path: $SPLUNK_HOME/etc/system/default/indexes.conf for an Index (wallix)

[wallix]
repFactor = auto
homePath = volume:hotwarm/wallix/db
coldPath = volume:cold/wallix/colddb
thawedPath = $SPLUNK_DB/wallix/thaweddb
tstatsHomePath = volume:hotwarm/wallix/datamodel_summary
homePath.maxDataSizeMB = 5120
coldPath.maxDataSizeMB = 10240
maxHotBuckets = 10
maxDataSize = auto_high_volume
maxTotalDataSizeMB = 15360
maxWarmDBCount = 4294967295
frozenTimePeriodInSecs = 31104000

TrueMex · ‎06-08-2018

I figured out one issue and yet another has appeared. I needed to have index="windows_index" with the index inside "" but while this works on one machine it does not on another. i will update when i have more.

kmorris_splunk · ‎06-08-2018

Can you share your inputs.conf stanza? Also, to gpradeepkumarreddy's point, the index needs to exist in the indexers.

pradeepkumarg · ‎06-08-2018

Is this index created on the indexer? windows_index. Unless you create the index on the indexer, the events end up no where.

TrueMex · ‎06-08-2018

Index exists. I figured out the issue in one machine, i did not denote index="windows_index"

Also note windows_index is a placeholder before anyone else gets me.

How to configure the Splunk universal forwarders on a Windows machine to send to an index that isn't the main?

index

universal forwarder

Windows

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...