multiple indexes in distrubuted splunk environment

ultra · ‎09-30-2010

Before I ask my question, this is my environment.

1 forwarder

4 indexers

1 search head

I am trying to setup several indexes (based on source types).

I have created indexes on each of the indexers (ct_usertransaction), and setup rules according to the documentation.

props.conf (on forwarder)
[ct-UserTransaction]
TRANSFORMS-index = ct-UserTransaction


[ct-UserTransaction]
DEST_KEY = MetaData:Index
REGEX = (ct-UserTransaction:)
FORMAT = ct_usertransaction

But I don't see anything in ct_usertransaction index.

Where do I need to configure the rules, on a forwarder or indexers?

gkanapathy · ‎09-30-2010

Please see http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F for a general explanation.

ultra · ‎09-30-2010

Thank you very much for this. It is a helpful link.

But it raises another question.
How do I route specific events from a heavy weight forwarder to a specific index on a remote indexer?

Stephen_Sorkin · ‎09-30-2010

You need to set this configuration on the indexer for lightweight forwarders and on the forwarder for heavyweight forwarders.

multiple indexes in distrubuted splunk environment

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk