I have one splunk forwarder I need to segregate from other indexes. I have created its own index and I need to know how to get the data from the splunk forwarder into it. I only have one port open for lightweight forwarding.
Is this possible through props.conf and transforms.conf or do I need to do something different
Just set
index = specialindex
either under each input on that forwarder in inputs.conf
, or set it at the top of the inputs.conf
file and it will be defaulted for all inputs unless otherwise specified (though note that some UI-configured inputs will set index = default
)
Just set
index = specialindex
either under each input on that forwarder in inputs.conf
, or set it at the top of the inputs.conf
file and it will be defaulted for all inputs unless otherwise specified (though note that some UI-configured inputs will set index = default
)
It's possible to do with a transform, but the input method gkanapthy is suggesting is easier and simpler.