Getting Data In
Highlighted

Splunk Forwarder 7.0.0 -- Can I set the index that is selected before the Splunk forwarder is installed?

Engager

I installed the Splunk Forwarder x64 Windows version 7.0.0 today on a server. The behavior appears to have changed. In version 6.x.x the windows event logs would go to index wineventlog. In the new version of the forwarder, it went directly to the main index. I have two questions regarding this:

  • Is there a way to change the index that is selected before the Splunk forwarder is installed so I don't have to move them from one index to another?
  • Second question, why was there a change in behavior?

Thank you in advance for any support you can provide.

0 Karma
Highlighted

Re: Splunk Forwarder 7.0.0 -- Can I set the index that is selected before the Splunk forwarder is installed?

SplunkTrust
SplunkTrust

What index do you specify in your inputs.conf file on the forwarder?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Splunk Forwarder 7.0.0 -- Can I set the index that is selected before the Splunk forwarder is installed?

Engager

By default I did not have an index set in the index.conf file for any of the windows logs when I experience this behavior. Of course, one I put the proper index in the inputs.conf file it started going to the index I wanted. The problem is that the splunk forwarder was already started and the logs were already in the main index and now I need to move them. It is not something I can't overcome but it would be nice to be able to get everything set up properly prior to starting up the forwarder.

The prior configuration (6.x.x), by default, would send the events to the wineventlog index by default. The new one sends it to the main index by default. This was prior to adding any entries to the inputs.conf file to put them in the index where I would want them.

0 Karma
Highlighted

Re: Splunk Forwarder 7.0.0 -- Can I set the index that is selected before the Splunk forwarder is installed?

SplunkTrust
SplunkTrust

It's a good idea to always specify an index with your inputs/sourcetypes. Try to avoid letting Splunk make assumptions or guesses about what you want it to do with your data. Not only does that avoid problems like this, but it also performs better.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Splunk Forwarder 7.0.0 -- Can I set the index that is selected before the Splunk forwarder is installed?

SplunkTrust
SplunkTrust

When possible it's also a good idea to test upgrades in a test environment to make sure things like this don't happen.

Highlighted

Re: Splunk Forwarder 7.0.0 -- Can I set the index that is selected before the Splunk forwarder is installed?

Engager

Agreed on the test environment. Since I am installing with the GUI installer in Windows is there a way to change the inputs.conf prior to starting the forwarder?

0 Karma
Highlighted

Re: Splunk Forwarder 7.0.0 -- Can I set the index that is selected before the Splunk forwarder is installed?

SplunkTrust
SplunkTrust

I would set up an app on your deployment server that pushes the inputs.conf out for each server. You can change the index in that file. Then when you configure the UF you can set the deployment server to access and it will pull the new configuration down. This method ensures that all forwarders (that match the criteria for the serverclass) get the same configuration.

0 Karma
Highlighted

Re: Splunk Forwarder 7.0.0 -- Can I set the index that is selected before the Splunk forwarder is installed?

Engager

Thank you

0 Karma