Videos

Stuff Splunkers Should Know (1) - PerfMon / WMI Collection in Splunk 4.2

Added by Michael Wilde
Splunk + SCOM - Troubleshooting .NET at Lightspeed!

Added by Michael Wilde

Splunk Ninja - Basic Training: Splunk & LDAP Authentication

Added by Michael Wilde

Latest Activity

William S and Please... Dee Esssss :-) joined splunkninja

1 hour ago

Amine Recoba is now a member of splunkninja

yesterday

Welcome Them!

Michael Wilde replied to Nikita's discussion Count failures and success via transaction

"How are these transactions linked together... by a field called "ID"? If so.. just build them with the field ID, and then use one of the MV commands to extract a field with success or failure in it. Paste some samples and…"

Friday

Linus Myrefelt updated their profile

May 22

Marie updated their profile

May 21

Marie is now a member of splunkninja

May 21

Welcome Them!

Jitter and matthew arguin joined splunkninja

May 18

Matthew Carter and Nikita joined splunkninja

May 17

Light forwarder sends directly to an Index on the splunk server

Is it possible to have a splunk light forwarder (with unix enabled) to send its logs to a seperate index on the splunk server?

Thanks everyone :)

▶ Reply to This

Replies to This Discussion

Permalink Reply by Ferry Leirissa on March 17, 2010 at 2:50am

Yes its possible, you can read it on http://www.splunk.com/support/forum:SplunkAdministration/3994
You have to edit the props and transforms (on receive) like :

props.conf

[host::devhost*]
TRANSFORMS-dev = IndexIs-dev

[host::prodhost*]
TRANSFORMS-prod = IndexIs-prod

transforms.conf

[IndexIs-dev]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = dev

[IndexIs-prod]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = prod