I installed the Splunk Forwarder x64 Windows version 7.0.0 today on a server. The behavior appears to have changed. In version 6.x.x the windows event logs would go to index wineventlog. In the new version of the forwarder, it went directly to the main index. I have two questions regarding this:
Thank you in advance for any support you can provide.
I would set up an app on your deployment server that pushes the inputs.conf out for each server. You can change the index in that file. Then when you configure the UF you can set the deployment server to access and it will pull the new configuration down. This method ensures that all forwarders (that match the criteria for the serverclass) get the same configuration.
Thank you
By default I did not have an index set in the index.conf file for any of the windows logs when I experience this behavior. Of course, one I put the proper index in the inputs.conf file it started going to the index I wanted. The problem is that the splunk forwarder was already started and the logs were already in the main index and now I need to move them. It is not something I can't overcome but it would be nice to be able to get everything set up properly prior to starting up the forwarder.
The prior configuration (6.x.x), by default, would send the events to the wineventlog index by default. The new one sends it to the main index by default. This was prior to adding any entries to the inputs.conf file to put them in the index where I would want them.
Agreed on the test environment. Since I am installing with the GUI installer in Windows is there a way to change the inputs.conf prior to starting the forwarder?
It's a good idea to always specify an index with your inputs/sourcetypes. Try to avoid letting Splunk make assumptions or guesses about what you want it to do with your data. Not only does that avoid problems like this, but it also performs better.
When possible it's also a good idea to test upgrades in a test environment to make sure things like this don't happen.
What index do you specify in your inputs.conf file on the forwarder?