How to redirect logs from a Universal Forwarder to...

gopala · ‎12-14-2015

Hi,

I'm trying to redirect all logs from a folder in a forwarder to "just" a specific index that we created on the indexer. This is our own created index and we want to index the logs from that folder on the forwarder "just" in our index, not on the main index.

There is a little confusion here. I have checked some information on the internet and nothing works until now. When somebody says "do something on the inputs.conf" is never clear what to exactly do in that file and "where in that file" (at the beginning?,at the end? in the middle? at random?). It is also never clear to which inputs.conf we should add "this something" because there are several inputs.conf files in different paths. And we even have this file on both the forwarder and the indexer.

Basically, I don't have any clue of "what to add" and "where to add it" (location of the file/files and where within the file).

I have tried several things and nothing works.

Precise and accurate help will be very much appreciated.

Thanks !

jmallorquin · ‎12-14-2015

Hi,

First you have to indetifique where have you configure the inputs (mean in with file inputs.conf is configure your input) you can do this with this command ./splunk cmd btool inputs list --debug

Whe you localize the file inputs.conf in with which you have define the inputs you have to configure in the stanza of the inputs the label "index"

[source or sourcetype]
index = yourindex

Hope help you

How to redirect logs from a Universal Forwarder to a specific created index, not the main index?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases