Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Specify index for windows Eventlogs in Universal Forwarder

johanbraeken
New Member
‎04-06-2012 12:13 AM

Hi,

I've installed a Universal Forwarder and it is forwarding Windows events fine to the Splunk server.

Hoever, all Windows eventlogs are indexed in the "main" index of Spunk and I would like to have these indexed somwhere else.
I can't find out what stanza I should use to specify an index for the eventlogs in the config of the Universal forwarder.

The idea is to have multiple types of Windows hosts configured to use different indexes, all bering forwarded to the same Splunk server.

Best regards,

Tags (3)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎04-06-2012 05:10 AM

Please upvote a/o mark as accepted if your question was answered. Thanks.

Kristian

0 Karma
Reply

kristian_kolb
Ultra Champion
‎04-06-2012 03:25 AM

Locate the inputs.conf file on your forwarder. You will have several inputs.conf files, but the one to look for is the one containing the following stanza;

[WinEventLog:XXX]
disabled=0

XXX would be Application, Security or System (or all of those in separate stanzas in the file). There may be other parameters defined under each stanza heading. Just add another line specifying index=zzzz , where zzzz is an index you have configured on your indexer.

The most likely location to find the correct inputs.conf file would be in;

C:\Program Files\splunk\etc\apps\search\local
C:\Program Files\splunk\etc\apps\launcher\local
C:\Program Files\splunk\etc\apps\MSICreated\local
C:\Program Files\splunk\etc\system\local

Do not edit any file in a default-directory.

Hope this helps,

Kristian

Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...