Re: How to send data to a custom index which is cu...

amulay26 · ‎08-18-2019

Am trying to solve a problem here. The inputs.conf for one of the monitoring stanza on the forwarder had index = main . I changed the inputs.conf on Deployment server and defined index = a and enabled restart splunkd. Am able to see an updated inputs.conf with index = a under the monitoring stanza. However, when I do a btool, I still see index = main for the same monitoring stanza.

How do I send data to index = a instead of index = main?

Any help will be appreciated. Thanks.

pramit46 · ‎08-19-2019

Please check whether or not you are using the correct serverclass. Perhaps the configuration is not even getting pushed into the forwarder. Hence even if you change on the DS, the FWD still shows the older version.

amulay26 · ‎08-19-2019

The serverclass is correct too.

amulay26 · ‎08-19-2019

I did a btool as well. There is no alternate inputs.conf on the Forwarder.

Mayurmpatil · ‎08-18-2019

Hello @amulay26 - may be there is one more inputs.conf in some other app or system local in your splunk enterprise.
with below command please find it.

/opt/splunk/bin/splunk cmd btool inputs list --debug | grep index

you will get all the inputs.conf files splunk is using in you environment .

How to send data to a custom index which is currently being sent to main index?

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!