I recieve syslog feed to my heavy forwader . From there the data is forwarder to my Indexer.
And in my indexer i want my received data to be indexed in index=syslog.
Heavy Forwarder configuration
connection_host = X.X.X.X
index = syslog_index
sourcetype = syslog_st
and Configuration in my indexer is :
index = syslog
sourcetype = syslog_feed
But i am getting a warning in my indexer as
received event for unconfigured/disabled index='syslog_index' with source='source::udp:514' host='host::X.X.X.X' sourcetype='sourcetype::syslog_st' (1 missing total)
why is it still trying to put the forwarded data to index=syslog_index whereas i mentioned in my indexer to index data into index=syslog
Could any one please help?
Heavy forwarder does events parsing, which means you cannot change the index name on the indexer side (the "index=syslog" part on the indexer is ignored).
You should switch the Heavy Forwarder with a Universal Forwarder to move the parsing logic to the indexer.
Another option is to set the "sendCookedData=false" parameter in the output.conf in the HF to tell Splunk to send RAW unparsed data.
Why are you setting
index = syslog_index in the first place? Just set
index=syslog no? In any case, if it's a heavyweight forwarder, all the parsing has already been done which is why the Indexer is ignoring your configuration.
The reason i have different index names is that from heavy forwarder i have to filter data to be sent to different indexes (1 to hold user auth data and other to hold payload data) in indexer depending on some regex.
There is still somewhere a forwarder configured to send to this syslog_index.
Can you check :
use the btool command to make sure, and search for the keyword syslog_indx in the outputs
./splunk cmd btool inputs list --debug
./splunk cmd btool props list --debug
I have only one heavy forwarder pushing data to 2 indexers.
And in that heavy forwarder
the conf is same as in my post above. and both indexers have configuration as mentioned above in post.