I have a bunch of light forwarders sending data to a central heavy forwarder which then sends the data to the main indexer.
On the central heavy forwarder and the main indexer I've created an index called windows
.
When I run a search on the main indexer, it doesn't look like all of the data is going into the windows
index and I don't know why. In particular one Windows 7 Professional system (a light forwarder) and a Windows XP Pro system (the central heavy forwarder). The other systems are getting forwarded just fine (They consist of Win 2000, XP, Server 2003 and Server 2008 R2). Help?
On each light forwarder Ive placed inputs.conf
in: %SPLUNK_HOME\etc\apps\SplunkLightForwarder\local\inputs.conf
[default]
index = windows
On the central heavy forwarder I've placed the inputs.conf in: %SPLUNK_HOME\etc\apps\SplunkForwarder\local\inputs.conf
[default]
index = windows
Well, apparently on the 2 problem systems, this is the solution: I had to add the line
index = windows
to
%SPLUNK_HOME\etc\system\local\inputs.conf
and
removed %SPLUNK_HOME\etc\apps\SplunkForwarder\local\inputs.conf
(on the central heavy forwarder)
removed %SPLUNK_HOME\etc\apps\SplunkLightForwarder\local\inputs.conf
(on the Windows 7 light forwarder)
I still have no clue why it needed to be different for these 2 systems.
Well, apparently on the 2 problem systems, this is the solution: I had to add the line
index = windows
to
%SPLUNK_HOME\etc\system\local\inputs.conf
and
removed %SPLUNK_HOME\etc\apps\SplunkForwarder\local\inputs.conf
(on the central heavy forwarder)
removed %SPLUNK_HOME\etc\apps\SplunkLightForwarder\local\inputs.conf
(on the Windows 7 light forwarder)
I still have no clue why it needed to be different for these 2 systems.
that's generally the right way, except that any particular input can override the default and send its data to a different index, and transforms can also change the target index.
OK, I got the central forwarder fixed. I had to add the line index = windows
to %SPLUNK_HOME\etc\system\local\inputs.conf
and removed %SPLUNK_HOME\etc\apps\SplunkForwarder\local\inputs.conf
OK, any idea as to why these 2 systems aren't cooperating then?
No I am saying that the specific input can set a different index so your default may be overridden.
So on those 2 systems do you think placing the inputs.conf
in %SPLUNK_HOME\etc\system\local
will do the trick?