Is it possible to use multiple indexes in a single...

bwniranjan · ‎12-14-2018

We have a multiple logs in a single server. But, I want to separate those logs to control access. Can we send different log files to different indexes so that we can segrate the logs to users?

prakash007 · ‎12-14-2018

If you have a universal forwarder installed on your host, yes-you can send those logs to different indexes...for instance you can have your inputs configured this way..

inputs.conf
[monitor:///var/log/httpd]
sourcetype = access_common
index = web_access 

[monitor:///var/log/messages]
sourcetype = syslog
index = linux_os

renjith_nair · ‎12-14-2018

@bwniranjan,
Yes of course! You can use multiple indexes in same indexer .

Read though this documentation and let us know in case you have further questions.

How to create multiple indexes
Monitor files and directories with inputs.conf
Input conf for monitor

---
What goes around comes around. If it helps, hit it with Karma 🙂

Is it possible to use multiple indexes in a single server?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation