I inherited a Splunk Enterprise deployment with a deployment management server used to make changes to all forwarders in the environment. In our environment we have an Index called "test" that is eating away at a highly disproportionate amount of our license (it's 50+% of our daily usage).
When I logon to our Splunk Deployment Server and do a search for "Index = test" or "Index=test" I get back to apps in $SPLUNK_HOME/etc/deployment-apps/. The first is DesktopForwarder that has a default inputs.conf file that looks like this (extra line breaks removed):
The second is a Forwarder app that has a default inputs.conf that looks like this:
index = test
disabled = 1
In the context of today if I search index="test" I get thousands of WinEventLog:Security from every Windows server on our network. If I search index="test" NOT sourcetype="WinEventLog:Security" I get a few dozen log files from one RHEL6 server that don't appear to be handled elsewhere.
My question is in the second file (Forwarder/default/inputs.conf) is that changing our default index from "Main" to "test" for all forwarders getting apps from the management server?
Additionally if I search sourcetype="WinEventLog:Security" I have 2 other indexes (for a total of 3) getting WinEvent Security logs. Is there a way for me to tell if these are duplicates?