My goal is to create a multi-tenant environment for monitoring several groups of Windows Servers.
In other words, I’d like to index every group with a separate dedicated index.
The Splunk Universal Forwarder is installed on every Windows Server and its output is directed to my Splunk Enterprise.
My original idea was:
1. To create a Server Class for each group of servers
2. To specify a separate index to each Sever Class
For the 1st group everything went ok:
Windows Events Logs -> New ->
Select Forwarders: Here I selected servers for the 1st group (group1) -> Next
Select Source: Here I selected relevant event log channels (Application) -> Next
Input Setting: Here I selected an index for the 1st group (idx_group1)-> Review -> Save
As a result, the new deployment application was created for the Server Class:
In /opt/splunk/etc/deployment-apps/_server_app_group1/local/inputs.conf
[WinEventLog://Application]
disabled = 0
index = idx_group1
Indeed, the events from the server are indexed by idx_group1!
However, when I did the same for the 2nd group, I’ve got an error:
Cannot create another input for the event log "Application", one already exists.
Splunk says “The event log monitor runs once for every event log input defined in Splunk.”
So my question is – how can I collect the events from several groups of servers, when each group is indexed by a dedicated index?
↧