I have events from a file which are currently indexed under the “main” index. I created an index named “target” and want to forward the events from a particular file to that index. The index is added properly in the list of indexes.
I changed the inputs.conf file to include the index name as:
[monitor://C:\Users\pdimri\Desktop\shared\splunk__9.txt]
disabled = false
index = target
Restarted the Splunk via CLI. Also since I am the admin, I have the relevant permissions to view the output. But when I type : index=target I get nothing. The data is still shown under main index.
Used http://docs.splunk.com/Documentation/Splunk/6.1.3/Indexer/Setupmultipleindexes as reference.
Problem confirmed in original post's comments - default configurations are overriding the specified stanzas.
To fix, make sure that the inputs configuration are declared in "local". This should be done in its own app, but you can also add it to system local configurations:
$SPLUNK_HOME\etc\apps\appName\local\inputs.conf
or
$SPLUNK_HOME\etc\system\local\inputs.conf
More info on config file precedence can be found in the docs as well:
http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/Wheretofindtheconfigurationfiles
the btool inputs list --debug command lists the files in the order in which splunk reads it? Because for my event file, it first reads from \system\local\inputs.conf : and set "index = target", but then it reads from \system\ default\inputs.conf and sets "index = default". But according to doc on config file system local should be having the highest priority. And I am still getting no results for input= target.
The output from the command will list specific stanzas. You'll need to look for the one specific stanza for your particular inputs (first line of the stanza will be the square bracket-ed input you defined). Underlying lines will show the particular settings for that stanza.
System local should always take precedence, so I doubt that it's the problem.
Did you create the "target" index?
When I go to settings tab and click on indexes tab under Data, it shows me Index names like _audit, main and target is also there.
I'm starting to run out of ideas.
I assume that the index is also enabled?
Is there anything in the Splunk logs that might highlight what's going on (index=_internal in the Splunk UI, or $SPLUNK_HOME/var/log/splunk/splunkd.log)?
Did you configure the appropriate accesses to that index for the user you're logging into the Splunk UI as? If you're using default admin user, permissions should be set to all internal and all non-internal indexes.
From your initial reference page - did you just do the inputs.conf? Making sure that there's no props/transforms that might be getting in the way.
So I tried to insert new set of data and added the index at that time only (via preview option) as "target". It works now, and its corresponding inputs.conf file was created in "\app\search\local\" folder. Could you tell me now what was I doing wrong also for my index it says App as launcher. So shouldn't it be created inside "\app\launcher\local" folder instead.
You can see what configs it actually thinks it has using the internal btool commands (open up a cmd window):
cd to $SPLUNK_HOME, then bin directory (usually C:\Program Files\Splunk\bin)
splunk cmd btool inputs list --debug
The inputs list debug command will tell you what configs it sees, and where it's coming from. There may be something from another file's local or even default configurations that overwrite what you put in place (depends on where you configured it all).
I checked via your command..the inputs.conf from default is overwriting the index back to default. Can u tell me how to stop this overwriting from default?
I could be wrong, but I think your path is incorrect:
Current:
"[monitor://C:UserspdimriDesktopsharedsplunk__9.txt]"
Should be:
[monitor://C:\UserspdimriDesktopsharedsplunk__9.txt]
This will require a restart obviously after the change.
Well maybe your path is correct, does it have a backslash after the C:? For some reason the forums will not display the backslash.
I still don't see any difference between current and should be. Also if the main index is able to pull the data, in my opinion that means the path is correct. Could be wrong, newbie at Splunk.
It's b/c the backslash is not showing up, which is why I thought that. If the path is correct and you did a "splunk restart", that should have worked.
yes it does have backslash..