Hi am a newbie to splunk and we are setting up our Splunk environment.
Here is my question , we have four indexers and i created four indexes with the same name (esb_index) on 4 indexers, i want to forward my data from selected forwarders to these newly created index, so that i can restrict access.
Can any one help me with this.
I found link that says to add the follwing to the inputs.conf
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Setupmultipleindexes
I added the below stanza to U.Forwarder inputs.conf but its not helping
[monitor:///var/log]
disabled = false
index = esb_index
Any help is appreciated.
As long as you have configured indexes (http://docs.splunk.com/Documentation/Splunk/4.3.4/admin/Indexesconf) correctly, and restarted Splunk on all 4 indexers, the inputs.conf that you have listed should work.
Have you been able to verify events from the UFs in index=main?
I modifed the one in etc/system/local on the UF , deployment server is not yet configured.
we are using Splunk 4.3
Which inputs.conf did you modify on the UF? Are you using deployment server? What version Splunk are you using?