multiple indexes in distrubuted splunk environment

Question

Before I ask my question, this is my environment.

1 forwarder

4 indexers

1 search head

I am trying to setup several indexes (based on source types).

I have created indexes on each of the indexers (ct_usertransaction), and setup rules according to the documentation.

props.conf (on forwarder)
[ct-UserTransaction]
TRANSFORMS-index = ct-UserTransaction


[ct-UserTransaction]
DEST_KEY = MetaData:Index
REGEX = (ct-UserTransaction:)
FORMAT = ct_usertransaction

But I don't see anything in ct_usertransaction index.

Where do I need to configure the rules, on a forwarder or indexers?

Answer 1

1	You need to set this configuration on the indexer for lightweight forwarders and on the forwarder for heavyweight forwarders. link answered 30 Sep '10, 02:39 Stephen Sorkin ♦ 8.1k●4●7 accept rate: 52%

Answer 2

1

Please see http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F for a general explanation.

link

answered 30 Sep '10, 03:41

gkanapathy ♦
26.5k●1●6●22
accept rate: 42%

Thank you very much for this. It is a helpful link.

But it raises another question. How do I route specific events from a heavy weight forwarder to a specific index on a remote indexer?

(30 Sep '10, 18:33) ultra

multiple indexes in distrubuted splunk environment

Follow this question

Splunk Resources

Related questions