Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to forward data to different indexes from one ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tpaulsen
Contributor
04-13-2010
04:00 PM
Hello,
i want to collect logs from one forwarder (Splunk 4.0.10) and forward the data to different indexes on one indexer. How do i achieve this?
Do i have to define it in the inputs.conf of the forwarder?
Example:
inputs.conf
index = teststufen-int
[monitor:///var/opt/noa/int04/current/process/log/process1.log]
[monitor:///var/opt/noa/int04/current/process/log/process2.log]
index = teststufen-sirt
[monitor:///var/opt/noa/int06/current/process/log/process1.log]
[monitor:///var/opt/noa/int06/current/process/log/process2.log]
Will this work?
enter code here
2 Solutions
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jfraiberg
Communicator
04-13-2010
04:22 PM
I believe that should work, I would try something like -
[monitor:///var/log]
index=os
[monitor:///var/log]
index=os2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ftk
Motivator
04-15-2010
01:33 PM
Put an index parameter into each monitor stanza as such:
[monitor:///var/log/blah]
index = blah
[monitor:///var/log/fu]
index = helloworld
If you do not define an index parameter the data will go into the default index. Check the manual on inputs here for more information: http://docs.splunk.com/Documentation/Splunk/5.0/Data/Editinputs.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jrodman
Splunk Employee
04-21-2010
04:43 PM
ftk has your answer, but for detail, the 'ini file format' concept is basically:
[name_of_stanza1]
setting1=value1
setting2=value2
[name_of_stanza2]
setting1=value3
setting2=value4
Splunk extends this by supporting the idea of defaults across all stanzas, eg:
[default]
setting1=default
[name_of_stanza1]
[name_of_stanza2]
setting1=override
Here, stanza1 gets the default, while stanza2 chooses another value. We also support writing defaults without an explicit stanza. This means the same thing:
setting1=default
[name_of_stanza1]
[name_of_stanza2]
setting1=override
So in your proposal, you have a default index specified:
index = teststufen-int
then in your stanza for process2.log, you override the index to teststufen-sirt.
See http://www.splunk.com/base/Documentation/4.1/Admin/Aboutconfigurationfiles for more information.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tpaulsen
Contributor
04-22-2010
02:17 PM
Great! Now i fully understand. That helps a lot! Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ftk
Motivator
04-15-2010
01:33 PM
Put an index parameter into each monitor stanza as such:
[monitor:///var/log/blah]
index = blah
[monitor:///var/log/fu]
index = helloworld
If you do not define an index parameter the data will go into the default index. Check the manual on inputs here for more information: http://docs.splunk.com/Documentation/Splunk/5.0/Data/Editinputs.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tpaulsen
Contributor
04-22-2010
02:17 PM
Yes, that´s what i thought. Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gkanapathy
Splunk Employee
04-13-2010
05:00 PM
you may want to use the "code" formatting button (the "101010" button) in the editing window to get the linebreaks right here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jfraiberg
Communicator
04-13-2010
04:22 PM
I believe that should work, I would try something like -
[monitor:///var/log]
index=os
[monitor:///var/log]
index=os2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tpaulsen
Contributor
04-13-2010
04:56 PM
Ok, thank you. so the other way round.
Do i have to put the index declaration after every [monitor:///...] entry?
Get Updates on the Splunk Community!
Operationalizing TDIR: Building a More Resilient, Scalable SOC
Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...
Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust
Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...
Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination
Calling all Splunk developers, custom SPL builders, dashboarders, and Splunkbase app creators – the Builder ...
