Getting Data In

indexes and universal forwarder

ddholstadz
Explorer

I use the following commands on my light forwarders to add an index and set new files to use it. /opt/splunkforwarder/bin/splunk add index java /opt/splunkforwarder/bin/splunk add monitor -index java

When using the universal forwarder I get this error: # /opt/splunkforwarder/bin/splunk add index java The object "index" is not supported on this installation.

What is the proper way to assign files to a specific index when using the universal forwarder?

Tags (1)
0 Karma
1 Solution

ftk
Motivator

Instead of creating the index at the forwarder/universalforwarder, you simply specify which index on the indexer the data should be sent to in your monitor stanza. Check out this section of the docs:

http://www.splunk.com/base/Documentation/latest/Admin/Setupmultipleindexes#Route_events_to_specific_...

View solution in original post

mic
Splunk Employee
Splunk Employee

In 4.3.3 and going forward, there is a parameter (check-index) that you can set to make this to happen without getting an error message complaining about the nonexistent index. By setting check-index to false, Universal Forwarder would not require the index to be there to begin with, but this is not the default behavior in 4.3.3.

For example:

./splunk add monitor /var/log/case1 -index test_case1 -check-index false

The default behavior is different depending on the version

  • 4.3.3 universal forwarder: default check-index is true, which means that it would always check whether the index exists
  • 4.3.4 universal forwarder: default check-index is true, which means that it would always check whether the index exists
  • 4.3.5 universal forwarder: default check-index is true, which means that it would always check whether the index exists
  • 5.0.2 universal forwarder: default check-index is false
0 Karma

ftk
Motivator

Instead of creating the index at the forwarder/universalforwarder, you simply specify which index on the indexer the data should be sent to in your monitor stanza. Check out this section of the docs:

http://www.splunk.com/base/Documentation/latest/Admin/Setupmultipleindexes#Route_events_to_specific_...