In our environment (mid-size enterprise with remote sites) we have our primary indexer on dedicated hardware. All data that is indexed is sent from forwarders distributed throughout the enterprise. On the indexer, I would like to segregate incoming data based on OS and site into separate databases. Something like incoming linux data from LA linux to the LAXLI db, incoming Windows data from Seattle to the SEAWIN db and so on.
Has anyone done this or does anyone know how? Is it possible?
I guess that by database you mean separate indexes. And yes, this is most certainly doable, and perhaps even desirable.
You'd need to create indexes on your indexer (can be done through the GUI under Manager->Indexes). Then you'll have to configure each forwarder to send data to the correct index in the inputs.conf files on the forwarders, e.g.;
on a windows forwarder in Chicago;
[WinEventLog:Security] index = CHIWIN disabled = 0 [WinEventLog:Application] index = CHIWIN disabled = 0
and for a Linux forwarder in Anchorage;
[monitor:///var/log/secure] sourcetype = linux_secure index = ANCLIN disabled = false [monitor:///var/log/myApp/myLog.log] sourcetype = myType index = ANCLIN disabled = false
Please note that you have to create the indexes before you start sending data.
Hope this helps.
Exactly what I was looking for. It works perfectly.
You wouldn't know how to get this new index viewed by the Search App, you you? I am not an XML guy, so I'm hoping I don't have to write XML code for this.
The summary page in the Search app shows the indexes that the user you're logged in is configured to search by default. This can be set in the manager, commonly through the user's role - Access controls -> Roles ->