Greetings all,
I am new to Splunk and trying to know my way around it. I created a home lab environment with the following details:
* 1 search head, 1 indexer, and 1 Heavy forwarder ( All Linux).
* 1 Universal forwarder ( my desktop).
Right now, my windows logs are being sent from the Universal Forwarder to Heavy forwarder on TCP port 9998 (random port #). Then, the Heavy Forwarder receives on 9998 and sends on to the indexer on 9997. I can search from the search head and receive all data *however they all go to index=main.*
I tried the following:
* modify inputs.conf in Heavy forwarder with the following:
[tcp://mydesktopIP:9998]
index = desktop
===
* I also tried to modify the inputs.conf file in the launcher app:
[splunktcp://9998]
index = desktop
====
None of the options above worked. Also kindly note that I ensured that the indexes.conf file in my indexer has the "desktop" index information.
Thanks in advance.
↧