Hello splunkers ,
I have seen in system/local/inputs.conf of many servers that it contains one entry provided below
root@abchost:~ # cat /opt/splunkforwarder/etc/system/local/inputs.conf
[default]
host = abc.com
index = unmanaged
What is need of providing index= unmanged
in that .
I am just simply guessing that might be it provided the default index entry to those monitors which don't have index name specified ,
Please let me know if i am right or wrong , if wrong then please let me know what is the need of providing that value .
Use the [default] stanza to define any global settings.
* You can also define global settings outside of any stanza, at the top of
the file.
* Each conf file should have at most one default stanza. If there are
multiple default stanzas, settings are combined. In the case of
multiple definitions of the same setting, the last definition in the
file wins.
* If an setting is defined at both the global level and in a specific
stanza, the value in the specific stanza takes precedence.
https://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Inputsconf
I think that your guess is probably correct, based on the name of the index. Unless you can talk to the person who created that stanza or the person who created that index (he might have left some comments in the inputs.conf
or indexes.conf
file so check that), there will be no way to know for sure.
@woodcock
This entry came pre-loaded . when i have installed splunk forwarder on linux host .
I think probably not. But maybe your installation process connected your forwarder to a Deployment Server and it pulled the setting in that way.
Can a deployment server influence etc/system/local?
Which forwarder version is that? And how are you installing it? Because last time I installed a UF from a tgz (v7.1.1), it definitely didn't contain that setting by default.
Use the [default] stanza to define any global settings.
* You can also define global settings outside of any stanza, at the top of
the file.
* Each conf file should have at most one default stanza. If there are
multiple default stanzas, settings are combined. In the case of
multiple definitions of the same setting, the last definition in the
file wins.
* If an setting is defined at both the global level and in a specific
stanza, the value in the specific stanza takes precedence.
https://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Inputsconf
@kmorris [Splunk]
That i know but question here is what is the use of index = unmanaged