I am at first experience of indexing log files. Therefore I am conscious of not having a full control of what i am doing.
I started with my target of indexing log files . I have many application on different Host and every application (I call it App) has a different log; and each log is suffixed with a number to indicate that is historical log (i.e. App1.log1 stands for the log of App1 at time 1, App1.log2 stands for the log of App1 at time 2, App1.log3 stands for the log of App1 at time 3) .
I have also App2 logs, App3 logs etc.
I have organized my work in such a way to have an index for each application. Therefore I will have that each index (that i will call with the name of the application itself) will contain historical logs (log1, log2, log3, etc.) of that applications.
I have also an Universal forwarder (where I have put all my logs) ; and Indexer; and a SearchHead.
In order to create indexes on the Indexer instance I have written the inputs.conf file in the UniversalForwarder .
It is the following:
[default]
host = universalforw
[monitor:///opt/splunkforwarder/var/log/app1/]
disabled = false
index = app1
[monitor:///opt/splunkforwarder/var/log/app2/]
disabled = false
index = app2
[monitor:///opt/splunkforwarder/var/log/app3/]
disabled = false
index = app3
I have also enabled receiving on the indexer (port 9997) and written the following outputs.conf file in the universalforwarder directory :
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = ip-of-indexer:9997
[tcpout-server://ip-of-indexer:9997]
Unfortunately it doesn't work! I have checked if the universal forwarders forwards (it is active ) and I have also checked that the indexer is listening on the port 99997.
The indexes are not created, althought some indexes existed (not correct) because I gave some commands before but I cannot remeber of them.
PLEASE help me to solve this issue !