|
If I make configuration changes mentioned by Maverick, in http://answers.splunk.com/questions/9076/how-to-configure-a-forwarder-to-filter-and-send-only-the-events-i-want, how do I send other logs/events to the same indexer. For example, how would I send DHCP logs, WindowsUpdate logs, WMI stuff? Do I have to tweak props.conf, transforms.conf, output.conf for every log? Also, which application should I make the changes to props.conf, transforms.conf, and output.conf? I tried to do it under F:\Program Files\Splunk\etc\apps\SplunkForwarder\, but it did not make a difference. No events appeared on the idexer |
|
On the forwarder you want to set up an input for every occurrence. Then, you would specify the sourcetype on the input. (DHCP, windows update, wmi, etc) If you are using a light/universal forwarder, you build filters based on the sourcetype on the indexer. If you're using a heavy forwarder, then you do the same thing. Specify the input, and sourcetype. Build a props entry based on the source type, and build a transforms entry based on the TRANSFORMS field. On the indexer, the props/transforms are in etc\system\local You do need to add an entry for every unique sourcetype. |
