Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Problem with routing/forwarding to a specific index.

aaronzabell
Path Finder
‎08-18-2010 09:14 PM

I have a bunch of light forwarders sending data to a central heavy forwarder which then sends the data to the main indexer.

On the central heavy forwarder and the main indexer I've created an index called windows.

When I run a search on the main indexer, it doesn't look like all of the data is going into the windows index and I don't know why. In particular one Windows 7 Professional system (a light forwarder) and a Windows XP Pro system (the central heavy forwarder). The other systems are getting forwarded just fine (They consist of Win 2000, XP, Server 2003 and Server 2008 R2). Help?

On each light forwarder Ive placed inputs.conf in: %SPLUNK_HOME\etc\apps\SplunkLightForwarder\local\inputs.conf

[default]
index = windows

On the central heavy forwarder I've placed the inputs.conf in: %SPLUNK_HOME\etc\apps\SplunkForwarder\local\inputs.conf

[default]
index = windows
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aaronzabell
Path Finder
‎08-20-2010 06:29 PM

Well, apparently on the 2 problem systems, this is the solution: I had to add the line

index = windows to

%SPLUNK_HOME\etc\system\local\inputs.conf

and

removed %SPLUNK_HOME\etc\apps\SplunkForwarder\local\inputs.conf (on the central heavy forwarder)

removed %SPLUNK_HOME\etc\apps\SplunkLightForwarder\local\inputs.conf (on the Windows 7 light forwarder)

I still have no clue why it needed to be different for these 2 systems.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

aaronzabell
Path Finder
‎08-20-2010 06:29 PM

Well, apparently on the 2 problem systems, this is the solution: I had to add the line

index = windows to

%SPLUNK_HOME\etc\system\local\inputs.conf

and

removed %SPLUNK_HOME\etc\apps\SplunkForwarder\local\inputs.conf (on the central heavy forwarder)

removed %SPLUNK_HOME\etc\apps\SplunkLightForwarder\local\inputs.conf (on the Windows 7 light forwarder)

I still have no clue why it needed to be different for these 2 systems.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-19-2010 03:43 AM

that's generally the right way, except that any particular input can override the default and send its data to a different index, and transforms can also change the target index.

0 Karma
Reply
Solved! Jump to solution

aaronzabell
Path Finder
‎08-20-2010 06:18 PM

OK, I got the central forwarder fixed. I had to add the line index = windows to %SPLUNK_HOME\etc\system\local\inputs.conf and removed %SPLUNK_HOME\etc\apps\SplunkForwarder\local\inputs.conf

0 Karma
Reply
Solved! Jump to solution

aaronzabell
Path Finder
‎08-20-2010 06:09 PM

OK, any idea as to why these 2 systems aren't cooperating then?

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-20-2010 07:59 AM

No I am saying that the specific input can set a different index so your default may be overridden.

0 Karma
Reply
Solved! Jump to solution

aaronzabell
Path Finder
‎08-20-2010 03:03 AM

So on those 2 systems do you think placing the inputs.conf in %SPLUNK_HOME\etc\system\local will do the trick?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...