Universal forwarder not using updated index proper...

jstockamp · ‎05-24-2011

While i was working on a few transforms I pointed my forwarder to a "test" index. Once I got the transforms working the way I wanted to, I tried to point the forwarder back to my "main" index, but it doesn't seem to be picking up my change. I've restarted the Windows Universal Forwarder service a few times with no effect. Here's the inputs definition from $SPLUNK_HOME/etc/system/local/inputs.conf (on the forwarder):

[monitor://D:\LogFiles\W3SVC1]
disabled = 0
index = main
whitelist = ex(\d+).log
sourcetype = iis-2

The indexer continues to insert these events into the "test" index instead of "main". Any ideas why this is happening?

jstockamp · ‎05-24-2011

I'm not setting the index with any of my transforms ... only filtering out some unwanted data.

hazekamp · ‎05-24-2011

Got it. Was not sure what transforms you were referring to. Your settings look correct.

hazekamp · ‎05-24-2011

jstockamp,

Can you verify that your indexer(s) is not affecting the target index. Any index routing props/transforms defined based on host/source/sourcetype for this data could be affecting the target index.

Universal forwarder not using updated index property in inputs.conf

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!