Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to get an input source into a specific index?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mark_Barrett
Explorer
03-29-2013
05:09 PM
I have a server with Universal Forwarder configured to feed data files into my Splunk indexer, and I was able to create a separate index file which is intended to hold this particular input source. Right now, all the data files are being dumped into the "Main" index but I'm a little lost from this point. What else do I need to do for this specific input source to be diverted to the index that I set up for this purpose?
I found the following documentation http://docs.splunk.com/Documentation/Splunk/latest/Data/WhatSplunkcanmonitor
but from here I'm not sure which direction to go.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Runals
Motivator
03-30-2013
08:04 PM
I think the solution to your issue is to create an inputs file for your forwarder to divert the data into the appropriate index. That's the short version at least. A simplistic example is
[monitor:///var/foo]
Index = main
[monitor::///var/bar]
Index = new_index
Alternatively you could put data into different indices through props/transforms and while that isn't hard per se there are a few more steps. Can you give a few more particulars about your environment (eg are you using a deployment server), OS, and data paths involved?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Runals
Motivator
03-30-2013
08:04 PM
I think the solution to your issue is to create an inputs file for your forwarder to divert the data into the appropriate index. That's the short version at least. A simplistic example is
[monitor:///var/foo]
Index = main
[monitor::///var/bar]
Index = new_index
Alternatively you could put data into different indices through props/transforms and while that isn't hard per se there are a few more steps. Can you give a few more particulars about your environment (eg are you using a deployment server), OS, and data paths involved?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ShaneNewman
Motivator
03-29-2013
09:34 PM
You will need to go to your indexer and add a new index as well, then restart the indexer.
Create or add this to the indexes.conf in your indexer_base app or inside of your $SPLUNK_Home\ect\system\local and replace new_index_name with the name of your index.
[new_index_name]
homePath = $SPLUNK_DB\new_index_name\db
coldPath = $SPLUNK_DB\new_index_name\colddb
thawedPath = $SPLUNK_DB\new_index_name\thaweddb
Get Updates on the Splunk Community!
Good Sourcetype Naming
When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Splunk App for Anomaly Detection End of Life Announcement
Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...
