Splunk Enterprise

How to create and redirect event to the indexes?

sathyajith_tekd
Engager

I have created an splunk distributed setup which consist of a Search Head,indexer and two heavy forwarder.Right now am forwarding events from windows,Linux and firewall through syslog-ng to the indexer.But the events are store in main index.So I want to create and redirect to a separate index for windows,linux and syslog and also, is it possible to move the event stored in main index to the corresponding indexes.

Tags (1)
0 Karma
1 Solution

tiagofbmm
Influencer

Hi

You need to go to the inputs.conf in each of the Splunk Apps (Windows, Linux and Firewall), and under each stanza such as WinEventLog://Application and put a index under it.

[WinEventLog://Application]
index=your_index

Do the same for all the other stanzas in the inputs.conf you are collecting.

You also need to create the indexes you want. You can do it in the Splunk UI of the Indexer, under Settings, Indexes, New Index

View solution in original post

sathyajith_tekd
Engager

Thank you so much

0 Karma

deepashri_123
Motivator

Hey sathyajith_tekdeliver,
Already indexed data cannot be added to new index. However you can re-index the data to the new index.

For distributed environment.

Create seperate index in indexes.conf in $SPLUNK_HOME$/etc/master-apps/_cluster/local
for all indexes you want
Sample index format:

[linux]

homePath = $SPLUNK_DB/linux/db
coldPath = $SPLUNK_DB/linux/colddb
thawedPath = $SPLUNK_DB/linux/thaweddb

From the master, Push the configuration bundle via GUI.
Settings>Indexer Clustering>Distribute configuration Bundle.

This will create indexes.

In inputs.conf on the forwarder add index to which data has to be indexed.
Sample:

[monitor://]
index = linux

And restart splunk.

If you are trying to re-index data then you need to add crc_salt in inputs.conf
Refer this link:
http://docs.splunk.com/Documentation/Splunk/7.0.2/Indexer/Indexerclusterinputs
Let me know if this helps!!!

0 Karma

sathyajith_tekd
Engager

Right now I have about 65,000 of events in the main index (windows,Linux,syslog),Is it possible to move the events to the corresponding indexes.

0 Karma

tiagofbmm
Influencer

These events in the main index are in buckets mixed with others, which means you can't just move the buckets from one index to the other.

As these are not [monitor:....] stanzas, but rather scripts running on the servers, you can't have the data "reingested" unfortunately.

You can explore the collect command to see if you can get something out of it, but the main point here is: if data is there, specially in a default index that in your case has many sources in there, there is no trivial way to do that I believe

0 Karma

tiagofbmm
Influencer

Can you accept my answer below? You just accepted your own

0 Karma

tiagofbmm
Influencer

Hi

You need to go to the inputs.conf in each of the Splunk Apps (Windows, Linux and Firewall), and under each stanza such as WinEventLog://Application and put a index under it.

[WinEventLog://Application]
index=your_index

Do the same for all the other stanzas in the inputs.conf you are collecting.

You also need to create the indexes you want. You can do it in the Splunk UI of the Indexer, under Settings, Indexes, New Index

sathyajith_tekd
Engager

Hello,

After adding the stanzas the events are indexed in a new index except some events.
Sources such as

Perfmon:Network Interface

Perfmon:CPU Load

Perfmon: Available Memory
is still indexed in default,So how to move these source to the new index

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...