Move input to different index

rblalock · ‎08-15-2012

I have too many machines (almost 500) logging to a single index. I want to create a new index (which I know how to do) and configure some host inputs to write to the new index instead of the old one. All sources are syslog type on UDP 514.

rblalock · ‎08-15-2012

OK, so I was expecting this to be a server-side solution. This looks like a client-side solution. Do I have that right?

johandk · ‎08-15-2012

Well... yes. Using a Heavy forwarder you can make it server side. Otherwise use the deployment server which manages all your forwarder configs centrally.

johandk · ‎08-15-2012

As per the docs:

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Route_inputs_to_specif...

On the Universal or Heavy forwarder in inputs.conf (depending on the type of input):

[monitor://.../file1.log]
_TCP_ROUTING = group1

And then in outputs.conf:

[tcpout:group1]
server=server1:9997

Should work.. Untested. Examples stolen from docs. Let us know if this works...

EDIT

I have no idea whether the UDP input to TCP routing will work... Really curious to see how this pans out.

Move input to different index

What’s New in Splunk Cloud Platform 9.1.2308?

Index This | Why do they call it hyper text?

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk