Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Specify index for windows Eventlogs in Universal Forwarder

johanbraeken
New Member
‎04-06-2012 12:13 AM

Hi,

I've installed a Universal Forwarder and it is forwarding Windows events fine to the Splunk server.

Hoever, all Windows eventlogs are indexed in the "main" index of Spunk and I would like to have these indexed somwhere else.
I can't find out what stanza I should use to specify an index for the eventlogs in the config of the Universal forwarder.

The idea is to have multiple types of Windows hosts configured to use different indexes, all bering forwarded to the same Splunk server.

Best regards,

Tags (3)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎04-06-2012 05:10 AM

Please upvote a/o mark as accepted if your question was answered. Thanks.

Kristian

0 Karma
Reply

kristian_kolb
Ultra Champion
‎04-06-2012 03:25 AM

Locate the inputs.conf file on your forwarder. You will have several inputs.conf files, but the one to look for is the one containing the following stanza;

[WinEventLog:XXX]
disabled=0

XXX would be Application, Security or System (or all of those in separate stanzas in the file). There may be other parameters defined under each stanza heading. Just add another line specifying index=zzzz , where zzzz is an index you have configured on your indexer.

The most likely location to find the correct inputs.conf file would be in;

C:\Program Files\splunk\etc\apps\search\local
C:\Program Files\splunk\etc\apps\launcher\local
C:\Program Files\splunk\etc\apps\MSICreated\local
C:\Program Files\splunk\etc\system\local

Do not edit any file in a default-directory.

Hope this helps,

Kristian

Reply
Get Updates on the Splunk Community!

Application management with Targeted Application Install for Victoria Experience

  Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...

Index This | What goes up and never comes down?

January 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

The Power of Two: Splunk + Cisco at "Ludicrous Scale"   You know Splunk. You know Cisco. But have you seen ...