Solved: Indexing and forward not working when using custom...

rishavvaidya · ‎09-04-2017

I have two standalone splunk servers for testing. On first instance, I'm trying index and forward.

Below is my inputs.conf and outputs.conf in server1
Inputs.conf>>>>
[root@localhost local]# cat inputs.conf
[monitor:///var/log/secure]
disabled = false
sourcetype = linux_secure
index = testing

And outputs.conf >>>>>
[tcpout]
defaultGroup = dataroute
indexAndForward = true
disabled = false

[tcpout:dataroute]
server = 192.168.75.139:9997

I have created testing indexes manually in both these splunk instances.

When I don't give any index then its working fine and I can see the data being forwarded to main index of 2nd instance but when I change the index to testing , it just doesn't work.
Help me figure out what I'm doing wrong.

HiroshiSatoh · ‎09-05-2017

The index setting is bad.
Can you check from the setting screen?

alt text

View solution in original post

HiroshiSatoh · ‎09-05-2017

The index setting is bad.
Can you check from the setting screen?

alt text

rishavvaidya · ‎09-05-2017

yes, moving the indexes.conf file to system/local solved the issue.

Indexing and forward not working when using custom named indexes

See just what you’ve been missing | Observability tracks at Splunk University

Weezer at .conf25? Say it ain’t so!

How SC4S Makes Suricata Logs Ingestion Simple

Are you a member of the Splunk Community?

Indexing and forward not working when using custom named indexes

See just what you’ve been missing | Observability tracks at Splunk University

Weezer at .conf25? Say it ain’t so!

How SC4S Makes Suricata Logs Ingestion Simple