Getting Data In

Change the INDEX for data received from Splunk Windows Forwarder

krusty
Contributor

Hi,

is it possible to use different indexes on the main splunk server which received the data from windows forwarder? For example I have 2 fileserver in our windows environment and many other windows server. The event data of the fileserver should be stored at "index_fileserver" and the other event data of the other windows server should be stored at "index_windows". How can I configure this on the windows forwarder? I know that if I change the configuration of the inputs.conf file all received data will be stored at the specific index. But how can I define more than one index?

Thanks

Tags (2)
1 Solution

jbsplunk
Splunk Employee
Splunk Employee

There was a limitation in 4.1 for evt/evtx files didn't allow for an index to be specified in an input. In 4.2, this is no longer the case, so if you'd like to get things working under this configuration, an update to 4.2 is in order.

View solution in original post

jbsplunk
Splunk Employee
Splunk Employee

There was a limitation in 4.1 for evt/evtx files didn't allow for an index to be specified in an input. In 4.2, this is no longer the case, so if you'd like to get things working under this configuration, an update to 4.2 is in order.

krusty
Contributor

Hi, thanks for the information.
This week i upgrade to 4.2 and I saw that it now works.

Thanks splunk developer team.

0 Karma

jrodman
Splunk Employee
Splunk Employee

If you have two different inputs which should go to two different indexes, simply specify the target index in the specific input stanza.

If you have data you wish to distinguish from one input where some data should go to index 1, and some data should go to index 2, you will have to use a transform to modify the the target index at parse time. (On a forwarder for heavy forwarder, on the receiving side for a light forwarder). See http://www.splunk.com/base/Documentation/latest/Admin/Routeandfilterdata as well as transforms.conf.spec and props.conf.spec

If you are really asking how to define the indexes, this is done on your indexer(s) in indexes.conf.

0 Karma

jrodman
Splunk Employee
Splunk Employee

Index time transforms don't have much in the way of introspection. I usually start with very simple cases and work upwards with very simple trial and error. A tech support ticket might be appropriate for this.

0 Karma

krusty
Contributor

I have changed the regex to "REGEX = ." but all data go to the main index. I have no idea why. Are there any logfiles from splunk where I can get more information?

0 Karma

jrodman
Splunk Employee
Splunk Employee

your regex also will only match things that contain dots or asterisk, while your props.conf stanza will only match a host SRV123, which does not contain either. Perhaps you would prefer REGEX = .

0 Karma

jrodman
Splunk Employee
Splunk Employee

note probs.conf will be ignored, as opposed to props.conf. If just a typo in this comment, ignore.

0 Karma

krusty
Contributor

Hi jrodman,

I configured the probs.conf and transforms.conf as follow:
probs.conf
[host::SRV123]
TRANSFORMS = set_index_fileserver

transforms.conf
[set_index_fileserver]
REGEX = host=[.*]
DEST_KEY = _MetaData:Index
FORMAT = index_fileserver

After I restarted the splunk processes I saw that all event data are still run into the main index. So it didn't work. Could you tell me what's my mistake?

Thanks

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...