I'm new to the Universal Forwarders and wanted to make sure I had this process correct. Some of the apps require specific TA's to be used.
Step 1: Open Port on receiving machine.
Step 2: Install Universal Forwarder on forwarding machine.
Step 3: Install TA on universal Forwarder
What index does this data go into on the receiving machine and is there a way to control this?
If it is in a specific piece of documentation please let me know.
I am using this as a reference but did not see this information in there:
http://docs.splunk.com/Documentation/WindowsApp/latest/User/InstalltheSplunkAppforWindows
You can contol the destination index for your data via inputs.conf.
[monitor:///blah/blah]
index=my_index
If not set, it will default to 'main'. Destination index can also be changed through index-time transforms, there are some docs examples on how this process works for altering sourcetypes;
http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides
Though for changing the index in this fashion, the DEST_KEY and assignment is slightly different;
DEST_KEY = _MetaData:Index
FORMAT = my_index
vs.
DEST_KEY = MetaData:Host
FORMAT = host::my_host
/k
You can contol the destination index for your data via inputs.conf.
[monitor:///blah/blah]
index=my_index
If not set, it will default to 'main'. Destination index can also be changed through index-time transforms, there are some docs examples on how this process works for altering sourcetypes;
http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides
Though for changing the index in this fashion, the DEST_KEY and assignment is slightly different;
DEST_KEY = _MetaData:Index
FORMAT = my_index
vs.
DEST_KEY = MetaData:Host
FORMAT = host::my_host
/k