I want to send logs to another index that I create...

sacalao · ‎08-06-2013

I want to send logs to another index that I created, not the main index. How to do it?

I need to configure something on the splunk server too (inputs.conf)?

Thanks!

Dimitri_McKay · ‎08-07-2013

in the UI you'd go Manager > Indexes > and define the new index name.
Then you'd edit your inputs.conf for that source to point to the name of the new index.
That should do you right.

Ayn · ‎08-06-2013

For the input you want to send to another index, simply specify this in the input's section in inputs.conf.

[monitor:///your/file/or/directory]
index = yourindex

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

Ayn · ‎08-07-2013

I'm not sure I understand the question. It doesn't matter if you got the data through a forwarder or not. You set this on the instance that's reading the files, in your case the forwarder. Duplication isn't an issue at all.

sacalao · ‎08-06-2013

Thanks, but I am getting the logs of a fowarder on port 9997. Using this I not'll be duplicating the data?

I want to send logs to another index that I created, not the main index. How to do it?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!