Hi,
is it possible to use different indexes on the main splunk server which received the data from windows forwarder? For example I have 2 fileserver in our windows environment and many other windows server. The event data of the fileserver should be stored at "index_fileserver" and the other event data of the other windows server should be stored at "index_windows". How can I configure this on the windows forwarder? I know that if I change the configuration of the inputs.conf file all received data will be stored at the specific index. But how can I define more than one index?
Thanks
There was a limitation in 4.1 for evt/evtx files didn't allow for an index to be specified in an input. In 4.2, this is no longer the case, so if you'd like to get things working under this configuration, an update to 4.2 is in order.
There was a limitation in 4.1 for evt/evtx files didn't allow for an index to be specified in an input. In 4.2, this is no longer the case, so if you'd like to get things working under this configuration, an update to 4.2 is in order.
Hi, thanks for the information.
This week i upgrade to 4.2 and I saw that it now works.
Thanks splunk developer team.
If you have two different inputs which should go to two different indexes, simply specify the target index in the specific input stanza.
If you have data you wish to distinguish from one input where some data should go to index 1, and some data should go to index 2, you will have to use a transform to modify the the target index at parse time. (On a forwarder for heavy forwarder, on the receiving side for a light forwarder). See http://www.splunk.com/base/Documentation/latest/Admin/Routeandfilterdata as well as transforms.conf.spec and props.conf.spec
If you are really asking how to define the indexes, this is done on your indexer(s) in indexes.conf.
Index time transforms don't have much in the way of introspection. I usually start with very simple cases and work upwards with very simple trial and error. A tech support ticket might be appropriate for this.
I have changed the regex to "REGEX = ." but all data go to the main index. I have no idea why. Are there any logfiles from splunk where I can get more information?
your regex also will only match things that contain dots or asterisk, while your props.conf stanza will only match a host SRV123, which does not contain either. Perhaps you would prefer REGEX = .
note probs.conf will be ignored, as opposed to props.conf. If just a typo in this comment, ignore.
Hi jrodman,
I configured the probs.conf and transforms.conf as follow:
probs.conf
[host::SRV123]
TRANSFORMS = set_index_fileserver
transforms.conf
[set_index_fileserver]
REGEX = host=[.*]
DEST_KEY = _MetaData:Index
FORMAT = index_fileserver
After I restarted the splunk processes I saw that all event data are still run into the main index. So it didn't work. Could you tell me what's my mistake?
Thanks