Forwarder works properly on initial install. Event logs are successfully exported into Splunk, but end up in the main index.
I modified inputs.conf and added
[default]
index = otherindex
After that, no data is transmitted. I know that the index is there as it is successfully displaying data that is coming in from our Linux hosts. I also tried simply adding index = otherindex under each type of Eventlog with the same results.
Maybe there is some kind of permission that is blocking these Windows hosts from writing to that index? (I'm not the Splunk admin so I don't know what's possible -- I'm merely deploying the client)
... View more