Videos

  • Add Videos
  • View All

Latest Activity

Profile Icon
Greg Vallenari is now a member of splunkninja Sunday
Welcome Them!
Profile Icon
Mike Hartford commented on Michael Wilde's video
Got it thanks
Thumbnail

Splunk Ninja - Basic Training: Splunk & LDAP Authentication

Feb 8
Profile Icon
Michael Wilde commented on Michael Wilde's video
Sure...  When you do group mapping, map them to groups that don't have the domain admins in them.  I have a separate OU=Groups that has "Splunk Users, Splunk Admins, Splunk Power Users" as group names, and specific users…
Thumbnail

Splunk Ninja - Basic Training: Splunk & LDAP Authentication

Feb 8
Profile Icon
Mike Hartford commented on Michael Wilde's video
I want to give LDAP access to my splunk servcie but I don't want the LDAP users to have admin capabilitys in Splunk.  Can I keep the domain admins out of Splunk if I have LDAP authentication???
Thumbnail

Splunk Ninja - Basic Training: Splunk & LDAP Authentication

Feb 7
Profile Icon
Mike Hartford left a comment for Jonathan Hawes
Helow Jonathan,   Glad to have another Splunker.  I've been useing Splunk for 2 years and am hooked.  I leared how to spell splunk and | transaction too.  you'll learn that one soon.   Go over to Splunk…
Feb 7
Profile Icon
Mike Hartford commented on Mike Hartford's blog post 'tees for the holy day'
  Holy Batskins Ninja, zzzzzwap zgruppp kapow a hidden stash, how great is that!!!!   The team that found them must have special bat senses and highly tooned Splunking skills   I like to wear Extra Lovable…
Feb 7
Profile Icon
Learning, learning, learning . . . Our Splunk "expert" is gone, and the non-programmer gets to learn the task! How do you spell SPLUNK?
Status posted by Jonathan Hawes Feb 7
0 Comments
Profile Icon
Jonathan Hawes is now a member of splunkninja Feb 7
Welcome Them!
Ziad

Light forwarder sends directly to an Index on the splunk server

Is it possible to have a splunk light forwarder (with unix enabled) to send its logs to a seperate index on the splunk server?

Thanks everyone :)

Views: 66

Reply to This

Replies to This Discussion

Ferry LeirissaPermalink Reply by Ferry Leirissa on March 17, 2010 at 2:50am
Yes its possible, you can read it on http://www.splunk.com/support/forum:SplunkAdministration/3994
You have to edit the props and transforms (on receive) like :

props.conf

[host::devhost*]
TRANSFORMS-dev = IndexIs-dev

[host::prodhost*]
TRANSFORMS-prod = IndexIs-prod

transforms.conf

[IndexIs-dev]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = dev

[IndexIs-prod]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = prod
ZiadPermalink Reply by Ziad on March 17, 2010 at 9:40pm
Worked perfectly! thanks!
Michael WildePermalink Reply by Michael Wilde on March 19, 2010 at 2:09pm
you an also set an "index" setting in inputs.conf

[monitor://var/log/messages]
index=mysweetindex
ZiadPermalink Reply by Ziad on March 19, 2010 at 7:51pm
Would that be at the light forwarder side? i am running unix and splunk light forwarder at the lightforwarder.

RSS

© 2012   Created by Michael Wilde.

Badges  |  Report an Issue  |  Terms of Service