I have events from a file which are currently indexed under the “main” index. I created an index named “target” and want to forward the events from a particular file to that index. The index is added properly in the list of indexes.
I changed the inputs.conf file to include the index name as:
disabled = false
index = target
Restarted the Splunk via CLI. Also since I am the admin, I have the relevant permissions to view the output. But when I type : index=target I get nothing. The data is still shown under main index.
Used http://docs.splunk.com/Documentation/Splunk/6.1.3/Indexer/Setupmultipleindexes as reference.
I could be wrong, but I think your path is incorrect:
This will require a restart obviously after the change.
I still don't see any difference between current and should be. Also if the main index is able to pull the data, in my opinion that means the path is correct. Could be wrong, newbie at Splunk.
It's b/c the backslash is not showing up, which is why I thought that. If the path is correct and you did a "splunk restart", that should have worked.
You can see what configs it actually thinks it has using the internal btool commands (open up a cmd window):
cd to $SPLUNK_HOME, then bin directory (usually C:\Program Files\Splunk\bin) splunk cmd btool inputs list --debug
The inputs list debug command will tell you what configs it sees, and where it's coming from. There may be something from another file's local or even default configurations that overwrite what you put in place (depends on where you configured it all).
I checked via your command..the inputs.conf from default is overwriting the index back to default. Can u tell me how to stop this overwriting from default?
Problem confirmed in original post's comments - default configurations are overriding the specified stanzas.
To fix, make sure that the inputs configuration are declared in "local". This should be done in its own app, but you can also add it to system local configurations:
$SPLUNK_HOME\etc\apps\appName\local\inputs.conf or $SPLUNK_HOME\etc\system\local\inputs.conf
More info on config file precedence can be found in the docs as well:
the btool inputs list --debug command lists the files in the order in which splunk reads it? Because for my event file, it first reads from \system\local\inputs.conf : and set "index = target", but then it reads from \system\ default\inputs.conf and sets "index = default". But according to doc on config file system local should be having the highest priority. And I am still getting no results for input= target.