Getting Data In

Splunk Forwarder 7.0.0 -- Can I set the index that is selected before the Splunk forwarder is installed?

Ronvgraham
Engager

I installed the Splunk Forwarder x64 Windows version 7.0.0 today on a server. The behavior appears to have changed. In version 6.x.x the windows event logs would go to index wineventlog. In the new version of the forwarder, it went directly to the main index. I have two questions regarding this:

  • Is there a way to change the index that is selected before the Splunk forwarder is installed so I don't have to move them from one index to another?
  • Second question, why was there a change in behavior?

Thank you in advance for any support you can provide.

0 Karma

snowmizer
Communicator

I would set up an app on your deployment server that pushes the inputs.conf out for each server. You can change the index in that file. Then when you configure the UF you can set the deployment server to access and it will pull the new configuration down. This method ensures that all forwarders (that match the criteria for the serverclass) get the same configuration.

0 Karma

Ronvgraham
Engager

Thank you

0 Karma

Ronvgraham
Engager

By default I did not have an index set in the index.conf file for any of the windows logs when I experience this behavior. Of course, one I put the proper index in the inputs.conf file it started going to the index I wanted. The problem is that the splunk forwarder was already started and the logs were already in the main index and now I need to move them. It is not something I can't overcome but it would be nice to be able to get everything set up properly prior to starting up the forwarder.

The prior configuration (6.x.x), by default, would send the events to the wineventlog index by default. The new one sends it to the main index by default. This was prior to adding any entries to the inputs.conf file to put them in the index where I would want them.

0 Karma

Ronvgraham
Engager

Agreed on the test environment. Since I am installing with the GUI installer in Windows is there a way to change the inputs.conf prior to starting the forwarder?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's a good idea to always specify an index with your inputs/sourcetypes. Try to avoid letting Splunk make assumptions or guesses about what you want it to do with your data. Not only does that avoid problems like this, but it also performs better.

---
If this reply helps you, Karma would be appreciated.
0 Karma

snowmizer
Communicator

When possible it's also a good idea to test upgrades in a test environment to make sure things like this don't happen.

richgalloway
SplunkTrust
SplunkTrust

What index do you specify in your inputs.conf file on the forwarder?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...