Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Do I need to update inputs.conf to include new indexes to forward data to the new index?

jacksonrolfe1
Engager
‎10-09-2017 12:51 AM

Hi all,

Just need help understanding deployment servers better and how you are able to forwarder data to a 'specific index'

My current setp:

  • 1 index master ( a 'test' index has been configured and 'pushed' to the peer nodes successfully)
  • 2 index peers
  • 2 UF
  • 1 Deployment server ( Clients successfully peered and forward management is working fine)

What I am confused about is when I access the deployment server and
- select 'add data'
- I then select the available host ( and select both my UF)
- I then create a new server class called Linux UF
- I then select source /var/log
- Now I come to the option where I select the 'Index'.... This is were my confusion is as the 'test' indexes I have successfully created with the master are not showing! I just want to be able to send my var/log LOGS to the 'test' index.

Does this mean I need to manual update the inputs.conf to include index = test.

If possible could you please help list the required steps to help give me a better understanding as right now I'm confusing myself to much.

much appreciated and thank you!

0 Karma
Reply

lfedak_splunk
Splunk Employee
Splunk Employee
‎10-09-2017 05:15 PM

Hey @jacksonrolfe1, if they solved your problem, remember to "√Accept" an answer to award karma points 🙂

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎10-09-2017 05:50 AM

Can you override the index setting on this part of the GUI?
Some older Splunk applications and I'm assuming versions did not have the option of typing an index name that was not listed on the local server.

In other words, if your deployment server does not have the index "test" then you could not select this index.

You could update your applications inputs.conf file on the file system of the deployment server (which I would recommend) or you can use a hack of creating the index configuration on the deployment server and this will allow you to select the index you wish.
If you are following the best practice then you will be creating a "dummy" index here as it will always forward data to the indexers anyway.

I have used the above hack on older applications/Splunk versions. Although I wonder if having the deployment server act as a search head (communicate with the cluster master) might also resolve this issue...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

ddrillic
Ultra Champion
‎10-09-2017 03:58 AM

Strange, as index = test should appear. I normally do that via the config files and not via the UI, so I can't help much.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...