Hello,
i want to collect logs from one forwarder (Splunk 4.0.10) and forward the data to different indexes on one indexer. How do i achieve this?
Do i have to define it in the inputs.conf of the forwarder?
Example:
inputs.conf
index = teststufen-int
[monitor:///var/opt/noa/int04/current/process/log/process1.log]
[monitor:///var/opt/noa/int04/current/process/log/process2.log]
index = teststufen-sirt
[monitor:///var/opt/noa/int06/current/process/log/process1.log]
[monitor:///var/opt/noa/int06/current/process/log/process2.log]
Will this work?
enter code here
I believe that should work, I would try something like -
[monitor:///var/log]
index=os
[monitor:///var/log]
index=os2
Put an index parameter into each monitor stanza as such:
[monitor:///var/log/blah]
index = blah
[monitor:///var/log/fu]
index = helloworld
If you do not define an index parameter the data will go into the default index. Check the manual on inputs here for more information: http://docs.splunk.com/Documentation/Splunk/5.0/Data/Editinputs.conf
ftk has your answer, but for detail, the 'ini file format' concept is basically:
[name_of_stanza1]
setting1=value1
setting2=value2
[name_of_stanza2]
setting1=value3
setting2=value4
Splunk extends this by supporting the idea of defaults across all stanzas, eg:
[default]
setting1=default
[name_of_stanza1]
[name_of_stanza2]
setting1=override
Here, stanza1 gets the default, while stanza2 chooses another value. We also support writing defaults without an explicit stanza. This means the same thing:
setting1=default
[name_of_stanza1]
[name_of_stanza2]
setting1=override
So in your proposal, you have a default index specified:
index = teststufen-int
then in your stanza for process2.log, you override the index to teststufen-sirt.
See http://www.splunk.com/base/Documentation/4.1/Admin/Aboutconfigurationfiles for more information.
Great! Now i fully understand. That helps a lot! Thank you.
Put an index parameter into each monitor stanza as such:
[monitor:///var/log/blah]
index = blah
[monitor:///var/log/fu]
index = helloworld
If you do not define an index parameter the data will go into the default index. Check the manual on inputs here for more information: http://docs.splunk.com/Documentation/Splunk/5.0/Data/Editinputs.conf
Yes, that´s what i thought. Thank you.
you may want to use the "code" formatting button (the "101010" button) in the editing window to get the linebreaks right here.
I believe that should work, I would try something like -
[monitor:///var/log]
index=os
[monitor:///var/log]
index=os2
Ok, thank you. so the other way round.
Do i have to put the index declaration after every [monitor:///...] entry?