Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Universal Forwarder and a New Index
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Firstly I'm new to splunk and a bit confused.
One question I would like answered first is can you use new indexes in the free version and have a Universal Forwarder send data to it?
If so then can someone give me help/guidance/instructions on how to achieve the following:
At the moment in a test environment I have a 2008 R2 server setup as a Domain Controller and want to save the security logs, the Universal Forwarder is installed on this server and using port 9997.
On another server I have the full(free) version of Splunk-4.3.3 installed.
I created a new index called dc_logs and setup the Receiver.
The info from the DC is coming across but into the Main default index and I cannot seem to work out how to set it so the data goes into the dc_logs index.
The ultimate goal is get the security logs into an individual index and retain the info for a period of 6 months.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For the few Windows servers I am collecting data, none of it is from the Windows logs; only the application that runs on these servers. However, the UF gets its instructions from what to monitor from inputs.conf, so there is one defined on your server -- perhaps as a result of the MSI install process -- that has set this up. In that file is a line that reads "index={INDEX_NAME}". The file you want for your purpose is likely in the etc/system/local directory on the server with the UF installed. Check that out, it probably says "index=main" or "index=default" and you can edit that to read "index=dc_logs". Naturally, the UF will need restarted after this change is saved.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For the few Windows servers I am collecting data, none of it is from the Windows logs; only the application that runs on these servers. However, the UF gets its instructions from what to monitor from inputs.conf, so there is one defined on your server -- perhaps as a result of the MSI install process -- that has set this up. In that file is a line that reads "index={INDEX_NAME}". The file you want for your purpose is likely in the etc/system/local directory on the server with the UF installed. Check that out, it probably says "index=main" or "index=default" and you can edit that to read "index=dc_logs". Naturally, the UF will need restarted after this change is saved.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
