Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Indexing and forward not working when using custom named indexes

rishavvaidya
Explorer
‎09-04-2017 10:37 AM

I have two standalone splunk servers for testing. On first instance, I'm trying index and forward.

Below is my inputs.conf and outputs.conf in server1
Inputs.conf>>>>
[root@localhost local]# cat inputs.conf
[monitor:///var/log/secure]
disabled = false
sourcetype = linux_secure
index = testing

And outputs.conf >>>>>
[tcpout]
defaultGroup = dataroute
indexAndForward = true
disabled = false

[tcpout:dataroute]
server = 192.168.75.139:9997

I have created testing indexes manually in both these splunk instances.

When I don't give any index then its working fine and I can see the data being forwarded to main index of 2nd instance but when I change the index to testing , it just doesn't work.
Help me figure out what I'm doing wrong.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎09-05-2017 12:39 AM

The index setting is bad.
Can you check from the setting screen?

alt text

View solution in original post

Preview file
21 KB
0 Karma
Reply
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎09-05-2017 12:39 AM

The index setting is bad.
Can you check from the setting screen?

alt text

Preview file
21 KB
0 Karma
Reply
Solved! Jump to solution

rishavvaidya
Explorer
‎09-05-2017 01:08 AM

yes, moving the indexes.conf file to system/local solved the issue.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...