Hi
I have a data coming from a forwarder. When I originally setup the inputs.conf manually. The data was handled under the main (default) indexer. I
1 Created a new index via the Web GUI
2 Restarted the server.
3 Changed the index to the new one, via the web and manually checked the inputs.conf file.
4. Restarted again.
The data is still going to the default one. How am I going to get the data to move to the new index?
Sorry to say, there was no doubled up rule.
However it seems to be important where the rule files are placed. I understand that the default rules should never be changed. However if the index.conf is placed in under the app/search/local directory, it does not see to have and effect on an input.conf file under app/launcher/local directory. There also appears to be no way to control where the configuration files are placed under the the web GUI - or at least I have not found it. Perhaps I need to create the index under well within the launcher app. I did find information regarding this in the online documentation for index and input configuration files.
After this, I placed the index.conf file under /etc/system/local directory, all the inputs that were set to use the configured index start to work as expected.
...In addition, this was also interesting when using a forwarder, (Universal Forwarder).
I found I had to set the index on both ends to ensure the data went to the correct index on the receiver.
Take a look at this doc, to help better understand configuration file precedence.
http://docs.splunk.com/Documentation/Splunk/5.0.2/Admin/Wheretofindtheconfigurationfiles
It's possible that there is another inputs.conf file that is overriding your inputs.conf file. Run the following command to check the active configuration:
$SPLUNK_HOME/bin/splunk cmd btool inputs list --debug
A further description of the tool is here:
http://docs.splunk.com/Documentation/Splunk/5.0.2/Troubleshooting/Usebtooltotroubleshootconfiguratio...
Ok, the first one is in the default section, so unlikely..
Ran this tool and found the following:
[splunktcp]
acceptFrom = *
...
index = default
[splunktcp://:8999]
index = myindex
source = tcp:8999
Since the data in question is sent by a universal forwarder, could this be the issue?