Hi,
I have installed splunk universal forwarder on one of my windows server, while installing I've given the log directory details. I can see those logs in my index server by searching host=<hostname>. Now I've created a new index (index=Test) and restarted splunk. I've updated the inputs.conf of the windows server where forwarder is installed and restarted my splunkForwarder service. Now if I search with index=Test host=<hostname>, I can see only the logs which came after updating the index in inputs.conf. The old logs which were in splunk already (before udpating the index), still doesn't in the new index. Please let me know how to make those old logs also within this index.
Thanks in advance!
You cannot; already-indexed data is immutable. You can however delete
it and then trick your forwarders into sending it again. That is your only option.
Hi ,
Can you please give me more details about how to delete?
Thank you.
There is a delete
command (that doesn't really delete). Read about it here:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/delete
Hi,
Thank you so much..When I install the forwarder in windows server, I can select the directory, but there is no option to give the index for that. In this case how can I give the index while installing forwarder in windows?
Are you telling me that installing the Splunk Windows Universal Forwarder by default sends event to index=Test
? I find this very hard to believe and have never seen this before.
Hi Woodcock,
Nope. I am just asking you.. is there any way to give the index details while installing splunk forwarder? I can see the option to select the directory, but I don't find any option related to index while installing forwarder.
What do you mean by "installing Splunk forwarder"? Installing a forwarder does not enable any inputs other than the _* ones. Do you really mean "adding an input" instead of "installing Splunk forwarder"?