Solved: How to forward data to different indexes from one ...

tpaulsen · ‎04-13-2010

Hello,

i want to collect logs from one forwarder (Splunk 4.0.10) and forward the data to different indexes on one indexer. How do i achieve this?

Do i have to define it in the inputs.conf of the forwarder?

Example:

inputs.conf

index = teststufen-int
[monitor:///var/opt/noa/int04/current/process/log/process1.log]
[monitor:///var/opt/noa/int04/current/process/log/process2.log]

index = teststufen-sirt
[monitor:///var/opt/noa/int06/current/process/log/process1.log]
[monitor:///var/opt/noa/int06/current/process/log/process2.log]

Will this work?

enter code here

jfraiberg · ‎04-13-2010

I believe that should work, I would try something like -

[monitor:///var/log]
index=os


[monitor:///var/log]
index=os2

View solution in original post

ftk · ‎04-15-2010

Put an index parameter into each monitor stanza as such:

[monitor:///var/log/blah]
index = blah
[monitor:///var/log/fu]
index = helloworld

If you do not define an index parameter the data will go into the default index. Check the manual on inputs here for more information: http://docs.splunk.com/Documentation/Splunk/5.0/Data/Editinputs.conf

View solution in original post

jrodman · ‎04-21-2010

ftk has your answer, but for detail, the 'ini file format' concept is basically:

[name_of_stanza1]
setting1=value1
setting2=value2

[name_of_stanza2]
setting1=value3
setting2=value4

Splunk extends this by supporting the idea of defaults across all stanzas, eg:

[default]
setting1=default

[name_of_stanza1]

[name_of_stanza2]
setting1=override

Here, stanza1 gets the default, while stanza2 chooses another value. We also support writing defaults without an explicit stanza. This means the same thing:

setting1=default
[name_of_stanza1]
[name_of_stanza2]
setting1=override

So in your proposal, you have a default index specified:

index = teststufen-int

then in your stanza for process2.log, you override the index to teststufen-sirt.

See http://www.splunk.com/base/Documentation/4.1/Admin/Aboutconfigurationfiles for more information.

tpaulsen · ‎04-22-2010

Great! Now i fully understand. That helps a lot! Thank you.

ftk · ‎04-15-2010

Put an index parameter into each monitor stanza as such:

[monitor:///var/log/blah]
index = blah
[monitor:///var/log/fu]
index = helloworld

If you do not define an index parameter the data will go into the default index. Check the manual on inputs here for more information: http://docs.splunk.com/Documentation/Splunk/5.0/Data/Editinputs.conf

tpaulsen · ‎04-22-2010

Yes, that´s what i thought. Thank you.

gkanapathy · ‎04-13-2010

you may want to use the "code" formatting button (the "101010" button) in the editing window to get the linebreaks right here.

jfraiberg · ‎04-13-2010

I believe that should work, I would try something like -

[monitor:///var/log]
index=os


[monitor:///var/log]
index=os2

tpaulsen · ‎04-13-2010

Ok, thank you. so the other way round.

Do i have to put the index declaration after every [monitor:///...] entry?

How to forward data to different indexes from one single input.conf forwarder to one single indexer?

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...