Move input to different index

rblalock · ‎08-15-2012

I have too many machines (almost 500) logging to a single index. I want to create a new index (which I know how to do) and configure some host inputs to write to the new index instead of the old one. All sources are syslog type on UDP 514.

rblalock · ‎08-15-2012

OK, so I was expecting this to be a server-side solution. This looks like a client-side solution. Do I have that right?

johandk · ‎08-15-2012

Well... yes. Using a Heavy forwarder you can make it server side. Otherwise use the deployment server which manages all your forwarder configs centrally.

johandk · ‎08-15-2012

As per the docs:

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Route_inputs_to_specif...

On the Universal or Heavy forwarder in inputs.conf (depending on the type of input):

[monitor://.../file1.log]
_TCP_ROUTING = group1

And then in outputs.conf:

[tcpout:group1]
server=server1:9997

Should work.. Untested. Examples stolen from docs. Let us know if this works...

EDIT

I have no idea whether the UDP input to TCP routing will work... Really curious to see how this pans out.

Move input to different index

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?