splunkninja

The dojo of Splunk. Learn, share, teach, mentor.

Ziad

Light forwarder sends directly to an Index on the splunk server

Is it possible to have a splunk light forwarder (with unix enabled) to send its logs to a seperate index on the splunk server?

Thanks everyone :)

Reply to This

Replies to This Discussion

Ferry Leirissa Permalink Reply by Ferry Leirissa on March 17, 2010 at 1:50am
Yes its possible, you can read it on http://www.splunk.com/support/forum:SplunkAdministration/3994
You have to edit the props and transforms (on receive) like :

props.conf

[host::devhost*]
TRANSFORMS-dev = IndexIs-dev

[host::prodhost*]
TRANSFORMS-prod = IndexIs-prod

transforms.conf

[IndexIs-dev]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = dev

[IndexIs-prod]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = prod

Reply to This

Ziad Permalink Reply by Ziad on March 17, 2010 at 8:40pm
Worked perfectly! thanks!

Reply to This

Michael Wilde Permalink Reply by Michael Wilde on March 19, 2010 at 1:09pm
you an also set an "index" setting in inputs.conf

[monitor://var/log/messages]
index=mysweetindex

Reply to This

Ziad Permalink Reply by Ziad on March 19, 2010 at 6:51pm
Would that be at the light forwarder side? i am running unix and splunk light forwarder at the lightforwarder.

Reply to This

RSS

Videos

Latest Splunk Community Postings

Loading feed

Latest Splunk Forum Posts

Loading feed

© 2010   Created by Michael Wilde.   Powered by .

Badges  |  Report an Issue  |  Terms of Service

Sign in to chat!