Knowledge Management

Tag data on universal forwarder

splunkprimeriti
Explorer

Hi!

We are migrating from storm to self hosted splunk.

In storm there are projects which are a nice addition to splunk capabilities in Enterprise all te forwarded data goes to the same bag.

If we forward for example "access.log"s from different machines which serve different projects we cuold limite search and report by hosts but this is inneficient.

Is there a way to setup forwarders to add a field which tell which project that lines come from ?

EDIT:

After some click'n'learn i managed to create several indexes, an several receivers. But i cannot fin the way to setup a different index per receiver por. Any data sent by the universal forwarder to any receiver goes to the main index in the splunk server

Tags (3)
0 Karma

kristian_kolb
Ultra Champion

On your forwarder

inputs.conf

[monitor://your stuff to monitor]
sourcetype = blah
index = bleh
+ other inputs settings

Just make sure that the index bleh exists in your indexer before you start sending events.

/K

martin_mueller
SplunkTrust
SplunkTrust

How so?

You can define new indexes in indexes.conf (or through the UI) on your indexer(s), and define the index key in inputs.conf on your forwarders.

splunkprimeriti
Explorer

hi @martin_mueller seems that you are right I need separate indexes per project, but I can not achieve it.

0 Karma

splunkprimeriti
Explorer

@martin_muller perhaps. I'm n00b with the enterprisei flavor of splunk. We have one license for three related projects and want to do searches only on one of 'em at a time. I was loking for a way to do "* project=foobar" But if is there another way to achieve it will suffice

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Are you possibly looking for separate indexes per "project"? Those come with role-based permissions out of the box.

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!