- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Missing Index Even Specifying Index in inputs....
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Missing Index Even Specifying Index in inputs.conf
Hi,
The architect of the deployment is UF(Windows)->HF->Indexer->SH, only UF is installed in Windows platform and all other instances are Linux. The inputs.conf in UF is below:
[default]
host = XXX-PC
index = main
sourcetype = Win-UF
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
[monitor://C:\temp\temp.log]
disabled = 0
[WinEventLog://Application]
disabled = 0
[WinEventLog://Security]
disabled = 0
[WinEventLog://System]
disabled = 0
[perfmon://FreeDiskSpace]
interval = 10
disabled = 0
[perfmon://Memory]
interval = 10
disabled = 0
[perfmon://LocalNetwork]
interval = 10
disabled = 0
[perfmon://CPUTime
interval = 10
disabled = 0
As you can see, I explicitly configure the default index that all windows events collected by UF should go. From search head, I could successfully got all file monitoring events from default index, but I couldn't get any performance events, and I got warning message from SH:
Search peer XYZ has the following message: Received event for unconfigured/disabled/deleted index=perfmon with source="source::Perfmon:Memory" host="host::XXX-PC" sourcetype="sourcetype::Perfmon:Memory". So far received events from 1 missing index(es).
Why did Splunk still report missing index even I specified the default index to be main? and why not the event be sent to main index?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A possible reason this data is being sent to the perfmon index is that the Windows add-on for the UF sets that target index and it won't be overridden by a [default] setting because that's less-specific. On my test system, C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default\inputs.conf contains this:
## Memory
[perfmon://Memory]
# Excluding the counters attribute because it's too verbose...
disabled = 1
interval = 10
object = Memory
useEnglishOnly=true
index = perfmon
Note the last line that selects the perfmon index; I think that's the problem here. If you must put everything in the main index, I would suggest explicitly setting the index in each inputs.conf stanza that you listed in your question. Do not change the inputs.conf that is part of the Windows add-on or your changes will be overridden if you ever upgrade the add-on.
All of that said, unless your environment is small I would consider the benefits of creating the perfmon index (or another name of your choosing). If you ever decide you want to keep your different data sources for different lengths of time, for example, you'll end up having to put them in different indexes. This documentation covers a few reasons to consider using custom indexes and explains how to create them: http://docs.splunk.com/Documentation/Splunk/6.5.2/Indexer/Setupmultipleindexes
Good luck!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jtacy,
I think that's reason. I missed the point that more specific configuration override the less-specific one, I only thought the inputs.conf in local directory will override the inputs.conf in default directory of apps.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
