i want to collect logs from one forwarder (Splunk 4.0.10) and forward the data to different indexes on one indexer. How do i achieve this?
Do i have to define it in the inputs.conf of the forwarder?
index = teststufen-int [monitor:///var/opt/noa/int04/current/process/log/process1.log] [monitor:///var/opt/noa/int04/current/process/log/process2.log] index = teststufen-sirt [monitor:///var/opt/noa/int06/current/process/log/process1.log] [monitor:///var/opt/noa/int06/current/process/log/process2.log]
Will this work?
enter code here
I believe that should work, I would try something like -
[monitor:///var/log] index=os [monitor:///var/log] index=os2
Ok, thank you. so the other way round.
Do i have to put the index declaration after every [monitor:///...] entry?
you may want to use the "code" formatting button (the "101010" button) in the editing window to get the linebreaks right here.
Put an index parameter into each monitor stanza as such:
[monitor:///var/log/blah] index = blah [monitor:///var/log/fu] index = helloworld
If you do not define an index parameter the data will go into the default index. Check the manual on inputs here for more information: http://docs.splunk.com/Documentation/Splunk/5.0/Data/Editinputs.conf
ftk has your answer, but for detail, the 'ini file format' concept is basically:
[name_of_stanza1] setting1=value1 setting2=value2 [name_of_stanza2] setting1=value3 setting2=value4
Splunk extends this by supporting the idea of defaults across all stanzas, eg:
[default] setting1=default [name_of_stanza1] [name_of_stanza2] setting1=override
Here, stanza1 gets the default, while stanza2 chooses another value. We also support writing defaults without an explicit stanza. This means the same thing:
setting1=default [name_of_stanza1] [name_of_stanza2] setting1=override
So in your proposal, you have a default index specified:
index = teststufen-int
then in your stanza for process2.log, you override the index to teststufen-sirt.
See http://www.splunk.com/base/Documentation/4.1/Admin/Aboutconfigurationfiles for more information.
Great! Now i fully understand. That helps a lot! Thank you.