I have configured Splunk heavy forwarder in 2 machines. I want to send logs from one machine to another and expect the receiver to store all the received logs in an index called "receivedlogs".
This is the video I followed to configure Splunk: https://www.youtube.com/watch?v=S4ekkH5mv3E&t=454s&ab_channel=Splunk%26MachineLearning
let me understand:
Anyway, if HF1 locally inputs logs, you can configure the index in the inputs.conf file.
If instead HF1 receive and forwards logs, you have to configure selective indexing and forwarding in HF1 as described at https://docs.splunk.com/Documentation/Splunk/8.2.2/Forwarding/Routeandfilterdatad#Perform_selective_...
Hi @gcusello ,
On machine 1 have configured inputs.conf such a way that it will monitor locally stored logs. The output.conf is configured to send those locally stored logs to machine 2's port 9997. Machine 2 is listening to port 9997 and it by default stores the logs received on index "main".
I want to store logs received from 9997 port to a specific index called "receivedlogs". I tried going through the documentation you mentioned but I was unable to find a proper solution.
I try to translate:
Now, you have two choices to define the index:
I hint to define index in the first machine, you can do this in many ways:
Also, correct me if I'm wrong, if OP choses to write the messages localy to an index on the indexer and also forward the to another splunk instance where they will get separately indexed, the indexed events will consume the license twice - once on the intermediate indexer, once on the destination indexer.