Universal forwarder not using updated index proper...

jstockamp · ‎05-24-2011

While i was working on a few transforms I pointed my forwarder to a "test" index. Once I got the transforms working the way I wanted to, I tried to point the forwarder back to my "main" index, but it doesn't seem to be picking up my change. I've restarted the Windows Universal Forwarder service a few times with no effect. Here's the inputs definition from $SPLUNK_HOME/etc/system/local/inputs.conf (on the forwarder):

[monitor://D:\LogFiles\W3SVC1]
disabled = 0
index = main
whitelist = ex(\d+).log
sourcetype = iis-2

The indexer continues to insert these events into the "test" index instead of "main". Any ideas why this is happening?

jstockamp · ‎05-24-2011

I'm not setting the index with any of my transforms ... only filtering out some unwanted data.

hazekamp · ‎05-24-2011

Got it. Was not sure what transforms you were referring to. Your settings look correct.

hazekamp · ‎05-24-2011

jstockamp,

Can you verify that your indexer(s) is not affecting the target index. Any index routing props/transforms defined based on host/source/sourcetype for this data could be affecting the target index.

Universal forwarder not using updated index property in inputs.conf

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

AI for AppInspect

Join the Conversation

Universal forwarder not using updated index property in inputs.conf

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

AI for AppInspect