Getting Data In

Indexing log files already (although not correctly) indexed

brober27
New Member

I am at first experience of indexing log files. Therefore I am conscious of not having a full control of what i am doing.
I started with my target of indexing log files . I have many application on different Host and every application (I call it App) has a different log; and each log is suffixed with a number to indicate that is historical log (i.e. App1.log1 stands for the log of App1 at time 1, App1.log2 stands for the log of App1 at time 2, App1.log3 stands for the log of App1 at time 3) .
I have also App2 logs, App3 logs etc.
I have organized my work in such a way to have an index for each application. Therefore I will have that each index (that i will call with the name of the application itself) will contain historical logs (log1, log2, log3, etc.) of that applications.
I have also an Universal forwarder (where I have put all my logs) ; and Indexer; and a SearchHead.
In order to create indexes on the Indexer instance I have written the inputs.conf file in the UniversalForwarder .
It is the following:
[default]
host = universalforw
[monitor:///opt/splunkforwarder/var/log/app1/]
disabled = false
index = app1
[monitor:///opt/splunkforwarder/var/log/app2/]
disabled = false
index = app2
[monitor:///opt/splunkforwarder/var/log/app3/]
disabled = false
index = app3
I have also enabled receiving on the indexer (port 9997) and written the following outputs.conf file in the universalforwarder directory :
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = ip-of-indexer:9997
[tcpout-server://ip-of-indexer:9997]
Unfortunately it doesn't work! I have checked if the universal forwarders forwards (it is active ) and I have also checked that the indexer is listening on the port 99997.
The indexes are not created, althought some indexes existed (not correct) because I gave some commands before but I cannot remeber of them.
PLEASE help me to solve this issue !

Tags (1)
0 Karma

deepashri_123
Motivator

Hey brober27,

Firstly inputs.conf should be on forwarder and indexes.conf on indexer

inputs.conf sample:
[monitor:///var/log/messages]
disabled=false
index=app1

Also to create index you need to create index in indexes.conf
indexes.conf Sample:

[app1]

homePath = $SPLUNK_DB/app1/db
coldPath = $SPLUNK_DB/app1/colddb
thawedPath = $SPLUNK_DB/app1/thaweddb

And then restart.

Let me know if this helps!!!

0 Karma

brober27
New Member

Are you sure that the inputs.conf must be on the indexer?
The files and directories with the logs are on the universalForwarder !
And the data of the logs must be sent form universal forwader to the indexer.
So the [monitor:///var/log/messages] should be on the universal forwarder because the var/log/mesagges (so you named my logs) are on the universal forwader.
Please can you clarify?
What you say should be possible only if I put my logs on the Indexer instance (a different machine from the universal forwarder).
Than bye

0 Karma

deepashri_123
Motivator

Hi,

Sorry for the confusion, yes inputs on forwarder.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...