Solved: Which index does the forwarded data go???

Caio_Santos · ‎09-14-2010

How do I know which index forwarded data goes to receiver instance ? I'm not sure about that, but i've created 2 index. One on the forwarder other on the receiver instance and here is the trick, both with the same name and I guess it might be working because the index on the receiver is increasing.

how can i make sure about that ??? and is there any way to set this up if is not correct ??

dwaddle · ‎09-14-2010

You don't need to create indexes on forwarder nodes. Indexes only need to be created at the indexer. A forwarder can influence which index forwarded data goes into at the indexer via inputs.conf, similar to as follows:

[monitor:///my/log/file.txt]
index=myindex

But, this index must exist at the indexer, or the data will fall into /dev/null

Typically the light forwarder configuration disables all local indexes, through $SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/indexes.conf.

View solution in original post

dwaddle · ‎09-14-2010

You don't need to create indexes on forwarder nodes. Indexes only need to be created at the indexer. A forwarder can influence which index forwarded data goes into at the indexer via inputs.conf, similar to as follows:

[monitor:///my/log/file.txt]
index=myindex

But, this index must exist at the indexer, or the data will fall into /dev/null

Typically the light forwarder configuration disables all local indexes, through $SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/indexes.conf.

Caio_Santos · ‎09-14-2010

I'm sorry for my ignorance dwaddle, but where can I find this file ??
Thank you very much

Which index does the forwarded data go???

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control

Data Preparation Made Easy: SPL2 for Edge Processor