Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Specify index for windows Eventlogs in Universal Forwarder

johanbraeken
New Member
‎04-06-2012 12:13 AM

Hi,

I've installed a Universal Forwarder and it is forwarding Windows events fine to the Splunk server.

Hoever, all Windows eventlogs are indexed in the "main" index of Spunk and I would like to have these indexed somwhere else.
I can't find out what stanza I should use to specify an index for the eventlogs in the config of the Universal forwarder.

The idea is to have multiple types of Windows hosts configured to use different indexes, all bering forwarded to the same Splunk server.

Best regards,

Tags (3)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎04-06-2012 05:10 AM

Please upvote a/o mark as accepted if your question was answered. Thanks.

Kristian

0 Karma
Reply

kristian_kolb
Ultra Champion
‎04-06-2012 03:25 AM

Locate the inputs.conf file on your forwarder. You will have several inputs.conf files, but the one to look for is the one containing the following stanza;

[WinEventLog:XXX]
disabled=0

XXX would be Application, Security or System (or all of those in separate stanzas in the file). There may be other parameters defined under each stanza heading. Just add another line specifying index=zzzz , where zzzz is an index you have configured on your indexer.

The most likely location to find the correct inputs.conf file would be in;

C:\Program Files\splunk\etc\apps\search\local
C:\Program Files\splunk\etc\apps\launcher\local
C:\Program Files\splunk\etc\apps\MSICreated\local
C:\Program Files\splunk\etc\system\local

Do not edit any file in a default-directory.

Hope this helps,

Kristian

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...