Hi,
I just created a new app and wanted to point my network inputs to another index, managed by my app. So, I modified my inputs.conf and indexes.conf files in my $SPLUNK_HOME/etc/apps/MYAPP/local/ directory to use the new index:
indexes.conf:
[custom_index]
coldPath = $SPLUNK_DB/custom_index/colddb
disabled = 0
homePath = $SPLUNK_DB/custom_index/db
thawedPath = $SPLUNK_DB/custom_index/thaweddb
inputs.conf
[udp://20000]
index = custom_index
disabled = false
sourcetype = custom
I restarted Splunk from the WEB UI and from the command line. When I went to see if stuff was indexing in my new index it was, but I didn't see any of the data available to my new app. Permissions are set correctly for the index and when I look at the "Event_count" in the manager window, the number is growing! Is there something I am missing? I am using the free version of splunk (v4.0.6) but I don't believe that has anything to do with my problem. I can use the default "main" index fine but I would like to use my own separate indexes for certain splunk apps. Any help would be appreciated.
Thanks,
Ray
... View more