Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are my logs sent to the default index?

Mystica856
Explorer
‎08-05-2017 08:43 AM

Greetings all,

I am new to Splunk and trying to know my way around it. I created a home lab environment with the following details:
* 1 search head, 1 indexer, and 1 Heavy forwarder ( All Linux).
* 1 Universal forwarder ( my desktop).

Right now, my windows logs are being sent from the Universal Forwarder to Heavy forwarder on TCP port 9998 (random port #). Then, the Heavy Forwarder receives on 9998 and sends on to the indexer on 9997. I can search from the search head and receive all data however they all go to index=main.

I tried the following:
* modify inputs.conf in Heavy forwarder with the following:
[tcp://mydesktopIP:9998]

index = desktop

  • I also tried to modify the inputs.conf file in the launcher app: [splunktcp://9998] index = desktop ====

None of the options above worked. Also kindly note that I ensured that the indexes.conf file in my indexer has the "desktop" index information.

Thanks in advance.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-05-2017 09:58 AM

Hi Mystica856,
destination index must be set in each stanza of each inputs.conf file of Universal Forwarders not of Heavy Forwarder or Indexer.
On heavy Forwarder, destination index must be set only for local logs, nof from Universal Forwarders.

It's also possible to change destination index on Indexers (see https://docs.splunk.com/Documentation/Splunk/6.6.2/Data/Advancedsourcetypeoverrides ), in other words:
in props.conf 

 [mysourcetype]
 TRANSFORMS-index = overrideindex

in transforms.conf 

 [overrideindex]
 DEST_KEY =_MetaData:Index
 REGEX = .
 FORMAT = new_index

Bye.
Giuseppe

Reply

Mystica856
Explorer
‎08-05-2017 11:11 AM

That did fix it. But what I did is I went to each source/stanza in my "D:/programfiles/splunkuniversalforwarder/etc/apps/splunkuniversalforwarder/local/inputs.conf" and added index=desktop to each. My question is, is there a way to do it on a global level. Meaning, can I tell the universal forwarder that the logs sent to port 9998 should go to index=desktop without editing each stanza?

Thanks for the solution.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-06-2017 01:36 AM

Hi Mystica856,
I don't like to do this for more reasons:
at first I prefer to set destination index in each stanza to have more control on each input of my deployment and don't overload Indexer of jobs that usually forwarders do.
I usually put my inputs.conf in dedicated apps (called Techical Add-Ons or TAs) that I centrally manage using a Deployment Server (dedicated when I have many forwarders), but for test you can use the same server of Indexer.
In addition don't use splunkuniversalforwarder app because it's a default Splunk app, create a custom TA and put your inputs.conf in it.
At the end the path you described is wrong because in Windows you have to use backslash instead of slash.
Bye.
Giuseppe

0 Karma
Reply

Mystica856
Explorer
‎08-05-2017 08:47 AM

Splunk version 6.6.0 I forgot to add it to the question.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...