Getting Data In

How to forward events to a particular index?

Punit
New Member

I have events from a file which are currently indexed under the “main” index. I created an index named “target” and want to forward the events from a particular file to that index. The index is added properly in the list of indexes.

I changed the inputs.conf file to include the index name as:

[monitor://C:\Users\pdimri\Desktop\shared\splunk__9.txt]
disabled = false
index = target

Restarted the Splunk via CLI. Also since I am the admin, I have the relevant permissions to view the output. But when I type : index=target I get nothing. The data is still shown under main index.
Used http://docs.splunk.com/Documentation/Splunk/6.1.3/Indexer/Setupmultipleindexes as reference.

0 Karma

srioux
Communicator

Problem confirmed in original post's comments - default configurations are overriding the specified stanzas.

To fix, make sure that the inputs configuration are declared in "local". This should be done in its own app, but you can also add it to system local configurations:

$SPLUNK_HOME\etc\apps\appName\local\inputs.conf

or

$SPLUNK_HOME\etc\system\local\inputs.conf

More info on config file precedence can be found in the docs as well:
http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/Wheretofindtheconfigurationfiles

0 Karma

Punit
New Member

the btool inputs list --debug command lists the files in the order in which splunk reads it? Because for my event file, it first reads from \system\local\inputs.conf : and set "index = target", but then it reads from \system\ default\inputs.conf and sets "index = default". But according to doc on config file system local should be having the highest priority. And I am still getting no results for input= target.

0 Karma

srioux
Communicator

The output from the command will list specific stanzas. You'll need to look for the one specific stanza for your particular inputs (first line of the stanza will be the square bracket-ed input you defined). Underlying lines will show the particular settings for that stanza.

System local should always take precedence, so I doubt that it's the problem.

Did you create the "target" index?

0 Karma

Punit
New Member

When I go to settings tab and click on indexes tab under Data, it shows me Index names like _audit, main and target is also there.

0 Karma

srioux
Communicator

I'm starting to run out of ideas.

I assume that the index is also enabled?

Is there anything in the Splunk logs that might highlight what's going on (index=_internal in the Splunk UI, or $SPLUNK_HOME/var/log/splunk/splunkd.log)?

Did you configure the appropriate accesses to that index for the user you're logging into the Splunk UI as? If you're using default admin user, permissions should be set to all internal and all non-internal indexes.

From your initial reference page - did you just do the inputs.conf? Making sure that there's no props/transforms that might be getting in the way.

0 Karma

Punit
New Member

So I tried to insert new set of data and added the index at that time only (via preview option) as "target". It works now, and its corresponding inputs.conf file was created in "\app\search\local\" folder. Could you tell me now what was I doing wrong also for my index it says App as launcher. So shouldn't it be created inside "\app\launcher\local" folder instead.

0 Karma

srioux
Communicator

You can see what configs it actually thinks it has using the internal btool commands (open up a cmd window):

cd to $SPLUNK_HOME, then bin directory (usually C:\Program Files\Splunk\bin)
splunk cmd btool inputs list --debug

The inputs list debug command will tell you what configs it sees, and where it's coming from. There may be something from another file's local or even default configurations that overwrite what you put in place (depends on where you configured it all).

0 Karma

Punit
New Member

I checked via your command..the inputs.conf from default is overwriting the index back to default. Can u tell me how to stop this overwriting from default?

0 Karma

icyfeverr
Path Finder

I could be wrong, but I think your path is incorrect:

Current:
"[monitor://C:UserspdimriDesktopsharedsplunk__9.txt]"

Should be:
[monitor://C:\UserspdimriDesktopsharedsplunk__9.txt]

This will require a restart obviously after the change.

0 Karma

icyfeverr
Path Finder

Well maybe your path is correct, does it have a backslash after the C:? For some reason the forums will not display the backslash.

0 Karma

Punit
New Member

I still don't see any difference between current and should be. Also if the main index is able to pull the data, in my opinion that means the path is correct. Could be wrong, newbie at Splunk.

0 Karma

icyfeverr
Path Finder

It's b/c the backslash is not showing up, which is why I thought that. If the path is correct and you did a "splunk restart", that should have worked.

0 Karma

Punit
New Member

yes it does have backslash..

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...