I want all forwarders on a single splunkforwarder box to send data to the same specified index. I'd like to avoid having to do this in inputs.conf:
[monitor]
...
index=box_index
[monitor]
...
index=box_index
[monitor]
...
index=box_index
...
Is there a way to set the default index globally on a single box that functioning only as a splunkforwarder?
on every splunk instance the default destination index is defined in :
$SPLUNK_HOME/etc/system/default/inputs.conf
[default]
index=default
on the indexers, the default index is specified in
$SPLUNK_HOME/etc/system/default/indexes.conf
#the global parameter (no stanza, just as first parameters of the file)
defaultDatabase = main
You can override it by adding in system/local on the forwarders (or in a deployed app)
$SPLUNK_HOME/etc/system/local/inputs.conf
[default]
index=monitor
or on the indexers, change the default index to go to monitor, instead of main.
(but it will be the case for every events, not just for the forwarders)
add in local/indexes.conf
defaultDatabase = monitor
to be more clear, i want to add that in a deployed app (on a universal forwarderder), i to make this work on a input.conf i had to add it like this:
[default]
index=xyz
Note the line break in my code block above, as on the inputs.conf adding it all as ONE LINE like this below:
[default] index=xyz
did not work / had effect. This was on a 6.6.x splunk setup / UF
tks
on every splunk instance the default destination index is defined in :
$SPLUNK_HOME/etc/system/default/inputs.conf
[default]
index=default
on the indexers, the default index is specified in
$SPLUNK_HOME/etc/system/default/indexes.conf
#the global parameter (no stanza, just as first parameters of the file)
defaultDatabase = main
You can override it by adding in system/local on the forwarders
local/inputs.conf (in system or in a deployed app)
[default]
index=monitor
#was index-default
or on the indexers, change the default index to go to monitor, instead of main.
(but it will be the case for every events, not just for the forwarders)
add in local/indexes.conf (in system or in a deployed app)
defaultDatabase = monitor
#was defaultDatabase = main
on every splunk instance the default destination index is defined in :
$SPLUNK_HOME/etc/system/default/inputs.conf
[default]
index=default
on the indexers, the default index is specified in
$SPLUNK_HOME/etc/system/default/indexes.conf
#the global parameter (no stanza, just as first parameters of the file)
defaultDatabase = main
You can override it by adding in system/local on the forwarders (or in a deployed app)
$SPLUNK_HOME/etc/system/local/inputs.conf
[default]
index=monitor
or on the indexers, change the default index to go to monitor, instead of main.
(but it will be the case for every events, not just for the forwarders)
add in local/indexes.conf
defaultDatabase = monitor