- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to get an input source into a specific index?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a server with Universal Forwarder configured to feed data files into my Splunk indexer, and I was able to create a separate index file which is intended to hold this particular input source. Right now, all the data files are being dumped into the "Main" index but I'm a little lost from this point. What else do I need to do for this specific input source to be diverted to the index that I set up for this purpose?
I found the following documentation http://docs.splunk.com/Documentation/Splunk/latest/Data/WhatSplunkcanmonitor
but from here I'm not sure which direction to go.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the solution to your issue is to create an inputs file for your forwarder to divert the data into the appropriate index. That's the short version at least. A simplistic example is
[monitor:///var/foo]
Index = main
[monitor::///var/bar]
Index = new_index
Alternatively you could put data into different indices through props/transforms and while that isn't hard per se there are a few more steps. Can you give a few more particulars about your environment (eg are you using a deployment server), OS, and data paths involved?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the solution to your issue is to create an inputs file for your forwarder to divert the data into the appropriate index. That's the short version at least. A simplistic example is
[monitor:///var/foo]
Index = main
[monitor::///var/bar]
Index = new_index
Alternatively you could put data into different indices through props/transforms and while that isn't hard per se there are a few more steps. Can you give a few more particulars about your environment (eg are you using a deployment server), OS, and data paths involved?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You will need to go to your indexer and add a new index as well, then restart the indexer.
Create or add this to the indexes.conf in your indexer_base app or inside of your $SPLUNK_Home\ect\system\local and replace new_index_name with the name of your index.
[new_index_name]
homePath = $SPLUNK_DB\new_index_name\db
coldPath = $SPLUNK_DB\new_index_name\colddb
thawedPath = $SPLUNK_DB\new_index_name\thaweddb
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
