Universal Forwarder app not going to correct index...

Branden · ‎04-10-2014

I'm trying to do what has always been a routine task for me: I'm indexing data as specified in inputs.conf on a Universal Forwarder. I want force the sourcetype and the target index. I have done this many times in the past, but for some reason it's not working for me this time. The notable difference is that I'm new to v6.X... I've been using 5.0.X until recently.

Here is my inputs.conf on the UF:

[monitor:///var/log/celery/*]
index = perma
sourcetype = celery
disabled = 0

[monitor:///var/log/gunicorn/*]
index = perma
sourcetype = gunicorn
disabled = 0

[monitor:///var/log/nginx/*]
index = perma
sourcetype = nginx_access
disabled = 0

[monitor:///var/log/rabbitmq/*]
index = perma
sourcetype = rabbitmq
disabled = 0

The inputs.conf looks okay, but it's putting the data in the "main" index, and coming up with its own sourcetypes instead of the sourcetype I provided.

I ran the btool command as instructed in similar posts. Everything looks fine there.

Am I missing something silly here?

Thanks!

dkuk · ‎04-11-2014

Hi,

The indexes are definitely created on the indexer(s) already right? (have to ask just in case).

So does the output of the following command from $SPLUNK_HOME$/bin folder have the index and sourcetype set as desired? Sounds like you have checked this bit but just checking for this exact usage.

./splunk cmd btool inputs list --debug

Have you got any props and transforms on the indexer that could be overriding the index and sourcetype to the wrong values? I.e. if you run ./splunk cmd btool props list --debug is there anything picking up that folder/source and overriding the index and/or sourcetype. What's the sourcetype being set to for a given example from the inputs.conf above.

Universal Forwarder app not going to correct index or sourcetype

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!