Knowledge Management

Tag data on universal forwarder

splunkprimeriti
Explorer

Hi!

We are migrating from storm to self hosted splunk.

In storm there are projects which are a nice addition to splunk capabilities in Enterprise all te forwarded data goes to the same bag.

If we forward for example "access.log"s from different machines which serve different projects we cuold limite search and report by hosts but this is inneficient.

Is there a way to setup forwarders to add a field which tell which project that lines come from ?

EDIT:

After some click'n'learn i managed to create several indexes, an several receivers. But i cannot fin the way to setup a different index per receiver por. Any data sent by the universal forwarder to any receiver goes to the main index in the splunk server

Tags (3)
0 Karma

kristian_kolb
Ultra Champion

On your forwarder

inputs.conf

[monitor://your stuff to monitor]
sourcetype = blah
index = bleh
+ other inputs settings

Just make sure that the index bleh exists in your indexer before you start sending events.

/K

martin_mueller
SplunkTrust
SplunkTrust

How so?

You can define new indexes in indexes.conf (or through the UI) on your indexer(s), and define the index key in inputs.conf on your forwarders.

splunkprimeriti
Explorer

hi @martin_mueller seems that you are right I need separate indexes per project, but I can not achieve it.

0 Karma

splunkprimeriti
Explorer

@martin_muller perhaps. I'm n00b with the enterprisei flavor of splunk. We have one license for three related projects and want to do searches only on one of 'em at a time. I was loking for a way to do "* project=foobar" But if is there another way to achieve it will suffice

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Are you possibly looking for separate indexes per "project"? Those come with role-based permissions out of the box.

Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...