Getting Data In
Highlighted

How to forward data to different indexes from one single input.conf forwarder to one single indexer?

Contributor

Hello,

i want to collect logs from one forwarder (Splunk 4.0.10) and forward the data to different indexes on one indexer. How do i achieve this?

Do i have to define it in the inputs.conf of the forwarder?

Example:

inputs.conf

index = teststufen-int
[monitor:///var/opt/noa/int04/current/process/log/process1.log]
[monitor:///var/opt/noa/int04/current/process/log/process2.log]

index = teststufen-sirt
[monitor:///var/opt/noa/int06/current/process/log/process1.log]
[monitor:///var/opt/noa/int06/current/process/log/process2.log]

Will this work?

enter code here

Tags (2)
Highlighted

Re: How to forward data to different indexes from one single input.conf forwarder to one single indexer?

Communicator

I believe that should work, I would try something like -

[monitor:///var/log]
index=os


[monitor:///var/log]
index=os2

View solution in original post

Highlighted

Re: How to forward data to different indexes from one single input.conf forwarder to one single indexer?

Contributor

Ok, thank you. so the other way round.

Do i have to put the index declaration after every [monitor:///...] entry?

0 Karma
Highlighted

Re: How to forward data to different indexes from one single input.conf forwarder to one single indexer?

Splunk Employee
Splunk Employee

you may want to use the "code" formatting button (the "101010" button) in the editing window to get the linebreaks right here.

0 Karma
Highlighted

Re: How to forward data to different indexes from one single input.conf forwarder to one single indexer?

Motivator

Put an index parameter into each monitor stanza as such:

[monitor:///var/log/blah]
index = blah
[monitor:///var/log/fu]
index = helloworld

If you do not define an index parameter the data will go into the default index. Check the manual on inputs here for more information: http://docs.splunk.com/Documentation/Splunk/5.0/Data/Editinputs.conf

View solution in original post

Highlighted

Re: How to forward data to different indexes from one single input.conf forwarder to one single indexer?

Contributor

Yes, that´s what i thought. Thank you.

0 Karma
Highlighted

Re: How to forward data to different indexes from one single input.conf forwarder to one single indexer?

Splunk Employee
Splunk Employee

ftk has your answer, but for detail, the 'ini file format' concept is basically:

[name_of_stanza1]
setting1=value1
setting2=value2

[name_of_stanza2]
setting1=value3
setting2=value4

Splunk extends this by supporting the idea of defaults across all stanzas, eg:

[default]
setting1=default

[name_of_stanza1]

[name_of_stanza2]
setting1=override

Here, stanza1 gets the default, while stanza2 chooses another value. We also support writing defaults without an explicit stanza. This means the same thing:

setting1=default
[name_of_stanza1]
[name_of_stanza2]
setting1=override

So in your proposal, you have a default index specified:

index = teststufen-int

then in your stanza for process2.log, you override the index to teststufen-sirt.

See http://www.splunk.com/base/Documentation/4.1/Admin/Aboutconfigurationfiles for more information.

Highlighted

Re: How to forward data to different indexes from one single input.conf forwarder to one single indexer?

Contributor

Great! Now i fully understand. That helps a lot! Thank you.

0 Karma