Getting Data In
Highlighted

How to forward events to a particular index?

New Member

I have events from a file which are currently indexed under the “main” index. I created an index named “target” and want to forward the events from a particular file to that index. The index is added properly in the list of indexes.

I changed the inputs.conf file to include the index name as:

[monitor://C:\Users\pdimri\Desktop\shared\splunk__9.txt]
disabled = false
index = target

Restarted the Splunk via CLI. Also since I am the admin, I have the relevant permissions to view the output. But when I type : index=target I get nothing. The data is still shown under main index.
Used http://docs.splunk.com/Documentation/Splunk/6.1.3/Indexer/Setupmultipleindexes as reference.

0 Karma
Highlighted

Re: How to forward events to a particular index?

Path Finder

I could be wrong, but I think your path is incorrect:

Current:
"[monitor://C:UserspdimriDesktopsharedsplunk__9.txt]"

Should be:
[monitor://C:\UserspdimriDesktopsharedsplunk__9.txt]

This will require a restart obviously after the change.

0 Karma
Highlighted

Re: How to forward events to a particular index?

Path Finder

Well maybe your path is correct, does it have a backslash after the C:? For some reason the forums will not display the backslash.

0 Karma
Highlighted

Re: How to forward events to a particular index?

New Member

I still don't see any difference between current and should be. Also if the main index is able to pull the data, in my opinion that means the path is correct. Could be wrong, newbie at Splunk.

0 Karma
Highlighted

Re: How to forward events to a particular index?

Path Finder

It's b/c the backslash is not showing up, which is why I thought that. If the path is correct and you did a "splunk restart", that should have worked.

0 Karma
Highlighted

Re: How to forward events to a particular index?

New Member

yes it does have backslash..

0 Karma
Highlighted

Re: How to forward events to a particular index?

Communicator

You can see what configs it actually thinks it has using the internal btool commands (open up a cmd window):

cd to $SPLUNK_HOME, then bin directory (usually C:\Program Files\Splunk\bin)
splunk cmd btool inputs list --debug

The inputs list debug command will tell you what configs it sees, and where it's coming from. There may be something from another file's local or even default configurations that overwrite what you put in place (depends on where you configured it all).

0 Karma
Highlighted

Re: How to forward events to a particular index?

New Member

I checked via your command..the inputs.conf from default is overwriting the index back to default. Can u tell me how to stop this overwriting from default?

0 Karma
Highlighted

Re: How to forward events to a particular index?

Communicator

Problem confirmed in original post's comments - default configurations are overriding the specified stanzas.

To fix, make sure that the inputs configuration are declared in "local". This should be done in its own app, but you can also add it to system local configurations:

$SPLUNK_HOME\etc\apps\appName\local\inputs.conf

or

$SPLUNK_HOME\etc\system\local\inputs.conf

More info on config file precedence can be found in the docs as well:
http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/Wheretofindtheconfigurationfiles

0 Karma
Highlighted

Re: How to forward events to a particular index?

New Member

the btool inputs list --debug command lists the files in the order in which splunk reads it? Because for my event file, it first reads from \system\local\inputs.conf : and set "index = target", but then it reads from \system\ default\inputs.conf and sets "index = default". But according to doc on config file system local should be having the highest priority. And I am still getting no results for input= target.

0 Karma