Getting Data In

How to change auto configuration of universal forwarder?

axl88
Communicator

Hi all,
I was assigned to push a fix on forwarders since they are forwarding data with auto-naming on index and source type like audit1 or error1, index1 or index2.
I didn't install the system, so I don't know how they set it up on this way. I made research on forwarder directory and find out that:
inputs.conf is not set to any value anywhere for the applications.
only thing i found is in "\etc\apps\search\metadata\local.meta" file some lines like:

[inputs/monitor%3A%2F%2F<LOG_DISK>%3A%5C<LOG_DIRECTORY>%5C<APPLICATION_NAME>%5C<LOG_FILE>]
owner = admin
version = 6.0.1
modtime = 1391634049.125552100

my question is that I need to set up right indexes and sourcetypes for several application logs that is forwarded to same indexer.

what is the correct way of doing this? Should i just add right configuration to inputs.conf at etc/search/local or etc/system/local.

one last question: What would happen to logs that is indexed and sourcetype automatically in indexer. Are they gonna be part of new naming or I have to sacrify them for this good reason

thanks for your time and effort for even checking my question 🙂

1 Solution

strive
Influencer

Yes, you need to add right configurations to inputs.conf file to route log events to specific indexes and for setting right sourcetypes.

When you search with new index names and sourcetypes you will not get old log events that were indexed automatically.

The first step is to set right configurations in inputs.conf file of forwarder.

The file should be under etc/system/local. Suppose you have written some dedicated app to forwarder node then the inputs.conf file can be under <your app>/local/ directory

View solution in original post

strive
Influencer

Yes, you need to add right configurations to inputs.conf file to route log events to specific indexes and for setting right sourcetypes.

When you search with new index names and sourcetypes you will not get old log events that were indexed automatically.

The first step is to set right configurations in inputs.conf file of forwarder.

The file should be under etc/system/local. Suppose you have written some dedicated app to forwarder node then the inputs.conf file can be under <your app>/local/ directory

strive
Influencer

This link has the details on cleaning index data and removing indexes.
http://docs.splunk.com/Documentation/Splunk/6.1.2/Indexer/RemovedatafromSplunk

be careful while using these commands.

0 Karma

axl88
Communicator

thanks for the response, then this lead another question that is, I can start forwarding with directory instead of log file since i kept them historically. Are there any way to get rid of the old indexes and sourcetypes on indexer?

0 Karma

strive
Influencer

If you still need old data to be summarized and save those results into some summary index. Then it is possible. You can run separate searches first on this old data and store summarized data into summary index after that you can schedule your new searches to push summarized data to summary index.

If you are writing searches on raw data and want to use old data and also new data then you may have to make use of subsearches.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...