I have configured Windows logs input to a certain index Index_test_03, but very few data - tens - go there. Most of them - thousands - go to the Main Index, something I have not configured !
I also noticed that the index I create go for App=Launcher, not Search ! The indexes I have created before are of App=Search. I have not changed anything for this to happen
can you advise
regards
Altin
I have a Windows 2003 box which in Settings/Add Data/Forward has been mapped to "index_test_01". I also have a Windows 2008 box which in the same is mapped to "index_test_03".
I have done no configuration in the Universal Forwarders - except Splunk server IP and two ports, the latest during install.
"index_test_01" of Win 2003 is populated, while "index_test_03" of Win 2008 gets very few data, most goes to index main.
Same config on universal forwards, same config on server - results are different.
Can anyone help ?
regards
Altin
There are 4 possibilities:
1: Inside your new inputs.conf you left index=Index_test_03
out of one of your stanzas.
2: You have a precedence problem where your configurations are not being used because there are configurations with index=main
somewhere else. The most likely place is in the learned
app so check there. Also make sure that your configurations are inside your app (not $SPLUNK_HOME/etc/system/*/inputs.conf
), such as $SPLUNK_HOME/etc/apps/myapp/default/inputs.conf
.
3: You have the correct configuration files but you have not deployed them to ALL of your forwarders.
4: You have done everything else correctly but you have not restarted the Splunk instance on all of your forwarders (which must be done after every change to inputs.conf
that you make while debugging this).
In any case, you should be able to sort through this by using btool
on your forwarders to list out your inputs.conf like this:
$SPLUNK_HOME/bin/splunk cmd btool inputs list --debug
I have configured the respective in each Universal Forwarder and the data goes to the right index.
Thank you everyone for the support
regards
Altin
Please click "Accept" on the answer that most lead you to your solution..
could you please update your "inputs.conf" and "props.conf" in your question, so we can see how individual events are parsed?
I'd verify your universal forwarder configuration. For the windows event logs you are specifying in inputs.conf, you should have an "index=Index_test_03" configuration set.
The main index is the default, and if you have events showing up there it means, for those inputs, they don't have any other index specified.
How are you collecting the information? Make sure that however you define the input for the Windows logs that you specify the index in the inputs.conf file, otherwise they will go to "main".
ps. I am using Universal Forwarders installed locally on windows servers to retrieve log data
Please use the commenting feature, instead of answering the question.
Verify that your indexes are set on the inputs.
Open an Administrative Command Prompt, and type this:
"C:\Program Files\Splunk\bin\splunk.exe cmd btool inputs list WinEventLog --debug "
Make sure that all of the Inputs have the correct index definition defined.
The problem is that most of them go to Main Index, while very few go to what I would be expecting - ie my index.
Shouldn't they go all to only one index ? why they are split ?
thanks
Altin