Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to redirect logs from a Universal Forwarder to a specific created index, not the main index?

gopala
New Member
‎12-14-2015 06:12 AM

Hi,

I'm trying to redirect all logs from a folder in a forwarder to "just" a specific index that we created on the indexer. This is our own created index and we want to index the logs from that folder on the forwarder "just" in our index, not on the main index.

There is a little confusion here. I have checked some information on the internet and nothing works until now. When somebody says "do something on the inputs.conf" is never clear what to exactly do in that file and "where in that file" (at the beginning?,at the end? in the middle? at random?). It is also never clear to which inputs.conf we should add "this something" because there are several inputs.conf files in different paths. And we even have this file on both the forwarder and the indexer.

Basically, I don't have any clue of "what to add" and "where to add it" (location of the file/files and where within the file).

I have tried several things and nothing works.

Precise and accurate help will be very much appreciated.

Thanks !

0 Karma
Reply

jmallorquin
Builder
‎12-14-2015 07:38 AM

Hi,

First you have to indetifique where have you configure the inputs (mean in with file inputs.conf is configure your input) you can do this with this command ./splunk cmd btool inputs list --debug

Whe you localize the file inputs.conf in with which you have define the inputs you have to configure in the stanza of the inputs the label "index"

[source or sourcetype]
index = yourindex

Hope help you

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...