Knowledge Management

Tag data on universal forwarder

splunkprimeriti
Explorer

Hi!

We are migrating from storm to self hosted splunk.

In storm there are projects which are a nice addition to splunk capabilities in Enterprise all te forwarded data goes to the same bag.

If we forward for example "access.log"s from different machines which serve different projects we cuold limite search and report by hosts but this is inneficient.

Is there a way to setup forwarders to add a field which tell which project that lines come from ?

EDIT:

After some click'n'learn i managed to create several indexes, an several receivers. But i cannot fin the way to setup a different index per receiver por. Any data sent by the universal forwarder to any receiver goes to the main index in the splunk server

Tags (3)
0 Karma

kristian_kolb
Ultra Champion

On your forwarder

inputs.conf

[monitor://your stuff to monitor]
sourcetype = blah
index = bleh
+ other inputs settings

Just make sure that the index bleh exists in your indexer before you start sending events.

/K

martin_mueller
SplunkTrust
SplunkTrust

How so?

You can define new indexes in indexes.conf (or through the UI) on your indexer(s), and define the index key in inputs.conf on your forwarders.

splunkprimeriti
Explorer

hi @martin_mueller seems that you are right I need separate indexes per project, but I can not achieve it.

0 Karma

splunkprimeriti
Explorer

@martin_muller perhaps. I'm n00b with the enterprisei flavor of splunk. We have one license for three related projects and want to do searches only on one of 'em at a time. I was loking for a way to do "* project=foobar" But if is there another way to achieve it will suffice

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Are you possibly looking for separate indexes per "project"? Those come with role-based permissions out of the box.

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...