Getting Data In

How to configure the Splunk universal forwarders on a Windows machine to send to an index that isn't the main?

TrueMex
New Member

Hi All, i am trying to configure the splunk universal forwarders on a windows machine to send to an index that isnt main. I attempted to set index=windows_index in the inputs.comf file in $splunk/etc/system/local/. when i set the index there, and restart the forwarder no logs get to splunk. when removed and restarted again, logs all pour in.

Is this config setting something to be set in the forwarders?

Labels (3)
0 Karma

Bakkar
New Member

Updated inputs.conf file from path "C:\Program Files\SplunkUniversalForwarder\etc\system\default" 

[monitor://$SPLUNK_HOME\var\log\splunk]

index =<Your Indexname>

[monitor://$SPLUNK_HOME\var\log\watchdog\watchdog.log*]

index =<Your Indexname>

 

Hope this helps

0 Karma

woodcock
Esteemed Legend

You need to make sure that you have windows_index defined in indexes.conf on your indexers.

bogdan_nicolesc
Communicator

Hi all,

I was about to ask the same question.

So let me get this clear ....

In file inputs.conf from Program Files\Splunk\etc\system\local you need to type in what to index to use on the indexer server ... ??

And on the server side you need to create an index with the name put in the inputs.conf .... right?

This inputs.conf can't be from Splunk Universal Forwarder? It has to be from splunk folder?

Can anyone can give me an example of a inputs.conf that collects win security log and send it to an index called win_sec on a server so called 192.168.1.1:9997

I have some ideas how it should look but i'm lost in commands .....

Thank you,
Bogdan.

0 Karma

woodcock
Esteemed Legend

No.
On the forwarder you use inputs.conf and tell it what index value will store the data that you are sending.
On the indexers you need to create that matching index with indexes.conf.

0 Karma

raghu0463
Explorer

I think you need to login as Admin for editing inputs.conf file on forwarder system. i.e open the .txt file as run as administrator.

0 Karma

HiwaKarimi
Engager

I did like this in path:  $SPLUNK_HOME/etc/system/default/indexes.conf for an Index (wallix)

 

[wallix]
repFactor = auto
homePath = volume:hotwarm/wallix/db
coldPath = volume:cold/wallix/colddb
thawedPath = $SPLUNK_DB/wallix/thaweddb
tstatsHomePath = volume:hotwarm/wallix/datamodel_summary
homePath.maxDataSizeMB = 5120
coldPath.maxDataSizeMB = 10240
maxHotBuckets = 10
maxDataSize = auto_high_volume
maxTotalDataSizeMB = 15360
maxWarmDBCount = 4294967295
frozenTimePeriodInSecs = 31104000

 

0 Karma

TrueMex
New Member

I figured out one issue and yet another has appeared. I needed to have index="windows_index" with the index inside "" but while this works on one machine it does not on another. i will update when i have more.

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

Can you share your inputs.conf stanza? Also, to gpradeepkumarreddy's point, the index needs to exist in the indexers.

0 Karma

pradeepkumarg
Influencer

Is this index created on the indexer? windows_index. Unless you create the index on the indexer, the events end up no where.

0 Karma

TrueMex
New Member

Index exists. I figured out the issue in one machine, i did not denote index="windows_index"

Also note windows_index is a placeholder before anyone else gets me.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...