Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Tag data on universal forwarder

splunkprimeriti
Explorer
‎03-28-2014 07:03 AM

Hi!

We are migrating from storm to self hosted splunk.

In storm there are projects which are a nice addition to splunk capabilities in Enterprise all te forwarded data goes to the same bag.

If we forward for example "access.log"s from different machines which serve different projects we cuold limite search and report by hosts but this is inneficient.

Is there a way to setup forwarders to add a field which tell which project that lines come from ?

EDIT:

After some click'n'learn i managed to create several indexes, an several receivers. But i cannot fin the way to setup a different index per receiver por. Any data sent by the universal forwarder to any receiver goes to the main index in the splunk server

Tags (3)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎04-02-2014 06:12 AM

On your forwarder

inputs.conf

[monitor://your stuff to monitor]
sourcetype = blah
index = bleh
+ other inputs settings

Just make sure that the index bleh exists in your indexer before you start sending events.

/K

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-02-2014 02:52 AM

How so?

You can define new indexes in indexes.conf (or through the UI) on your indexer(s), and define the index key in inputs.conf on your forwarders.

Reply

splunkprimeriti
Explorer
‎04-02-2014 02:48 AM

hi @martin_mueller seems that you are right I need separate indexes per project, but I can not achieve it.

0 Karma
Reply

splunkprimeriti
Explorer
‎03-31-2014 06:57 AM

@martin_muller perhaps. I'm n00b with the enterprisei flavor of splunk. We have one license for three related projects and want to do searches only on one of 'em at a time. I was loking for a way to do "* project=foobar" But if is there another way to achieve it will suffice

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-28-2014 10:38 AM

Are you possibly looking for separate indexes per "project"? Those come with role-based permissions out of the box.

Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...