Hi!
We are migrating from storm to self hosted splunk.
In storm there are projects which are a nice addition to splunk capabilities in Enterprise all te forwarded data goes to the same bag.
If we forward for example "access.log"s from different machines which serve different projects we cuold limite search and report by hosts but this is inneficient.
Is there a way to setup forwarders to add a field which tell which project that lines come from ?
EDIT:
After some click'n'learn i managed to create several indexes, an several receivers. But i cannot fin the way to setup a different index per receiver por. Any data sent by the universal forwarder to any receiver goes to the main index in the splunk server
On your forwarder
inputs.conf
[monitor://your stuff to monitor]
sourcetype = blah
index = bleh
+ other inputs settings
Just make sure that the index bleh
exists in your indexer before you start sending events.
/K
How so?
You can define new indexes in indexes.conf (or through the UI) on your indexer(s), and define the index
key in inputs.conf on your forwarders.
hi @martin_mueller seems that you are right I need separate indexes per project, but I can not achieve it.
@martin_muller perhaps. I'm n00b with the enterprisei flavor of splunk. We have one license for three related projects and want to do searches only on one of 'em at a time. I was loking for a way to do "* project=foobar" But if is there another way to achieve it will suffice
Are you possibly looking for separate indexes per "project"? Those come with role-based permissions out of the box.