All Apps and Add-ons

Splunk Add-on for Windows - indexes.conf has been removed.

davidjohnbecket
Path Finder

With the recent version of Splunk Add-on for Windows, the use of the indexes.conf has been removed.

Question i cant figure out the answer to is how the data then knows where to go from the UF to the Index...

On my endpoint UF i have the app deployed and the inputs.conf in the \local folder.

None of the stanza's have the "index=xxx" line in the config but somehow the data is makings its way to the index.

If i want to send data to a custom index how can i?

0 Karma

skalliger
SplunkTrust
SplunkTrust

Hey.

It's important to read the docs before you upgrade. They actually mentioned the intentions in their release notes if I remember correctly.

Usually you will have a single index.conf for your indexers which will include all of your index definitions altogether. Splitting this into several apps isn't really manageable. An app should not define an index for you.

Skalli

0 Karma

davidjohnbecket
Path Finder

I realise that, but in an app inputs.conf you would typically designate where the data goes (into what index)

e.g.

On the UF (windows application server)...

[WinEventLog://Application]
disabled = 1
start_from = oldest
current_only = 0
index = winevents

Now the inputs.conf files do not have the index line in the stanza so how does the app know what index to send specific data to?
How does the Windows_TA app know to send [WinEventLog://Application] data to the winevent index?

[WinEventLog://Application]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml = false

0 Karma

skalliger
SplunkTrust
SplunkTrust
0 Karma

davidjohnbecket
Path Finder

https://docs.splunk.com/Documentation/WindowsAddOn/5.0.1/User/Upgrade#Upgrade_from_version_4.8.4_to_...

The indexes.conf file was removed in the Splunk Add-on for Windows version 5.0.x along with the index= parameter from all stanzas in inputs.conf, wmi.conf, and eventgen.conf.
If you miss the following steps, your Splunk platform will not have index configurations. This can result in data loss.
If you were using indexes.conf or any custom index to store your data in an earlier version of the Splunk Add-on for Windows, copy or create the windows, wineventlog, and perfmon stanzas from the indexes.conf, inputs.conf, wmi.conf, and eventgen.conf files in your existing Splunk Add-on for Windows v4.8.4 /Splunk_TA_Windows/default/ folder to the /Splunk_TA_Windows/local/ folder. Otherwise, any data collected will go to the default main index.
When you forward data from a Windows server using the Splunk Add-on for Windows, the indexer you send the events to must also have these indexes present. Install the add-on onto the indexer, and create a new indexes.conf file in the /Splunk_TA_Windows/local/ directory. After creating the indexes, specify these indexes in inputs.conf in the /Splunk_TA_Windows/local/ directory.*

Why did Splunk do this?
What were their intentions?

Now all data gets sent to the main index 😕 **rolleyes

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>