I inherited a Splunk Enterprise deployment with a deployment management server used to make changes to all forwarders in the environment. In our environment we have an Index called "test" that is eating away at a highly disproportionate amount of our license (it's 50+% of our daily usage).
When I logon to our Splunk Deployment Server and do a search for "Index = test" or "Index=test" I get back to apps in $SPLUNK_HOME/etc/deployment-apps/. The first is DesktopForwarder that has a default `inputs.conf` file that looks like this (extra line breaks removed):
index=test
# Specific File Change Monitors
[fschange:$windir/win.ini]
fullEvent=true
[fschange:$windir/system.ini]
fullEvent=true
[fschange:c:/autoexec.bat]
fullEvent=true
[fschange:c:/config.sys]
fullEvent=true
[fschange:c:/boot.ini]
fullEvent=true
[fschange:$windir/regedit.exe]
# Folder File Change Monitors
[fschange:$windir/system]
filters=filetypes-blacklist
[fschange:$windir/system32]
filters=filetypes-blacklist,system32-blacklist
[fschange:C:/Documents and Settings/All Users/Start Menu/Programs/Startup]
filters=filetypes-blacklist
[fschange:C:/ProgramData/Microsoft/Windows/Start Menu/Programs/Startup]
filters=filetypes-blacklist
# Change Monitor Filters
[filter:blacklist:generic-blacklist]
[filter:blacklist:filetypes-blacklist]
regex1=.*\.log
regex2=.*\.evtx
regex3=.*\.tmp
regex4=.*\.bak
regex5=.*\.dat
regex6=.*\.old
regex7=.*\.bad
[filter:blacklist:system32-blacklist]
regex1=.*\\LogFiles\\.*
regex2=.*\\wbem\\Logs\\.*
regex3=.*\\wbem\\Repository\\.*
regex4=.*\\config\\.*
regex5=.*\\spool\\.*
regex6=.*\\CatRoot\\.*
The second is a Forwarder app that has a default `inputs.conf` that looks like this:
[default]
index = test
[fschange:D:\Program Files\Splunk\etc]
disabled = 1
In the context of today if I search `index="test"` I get thousands of WinEventLog:Security from every Windows server on our network. If I search `index="test" NOT sourcetype="WinEventLog:Security"` I get a few dozen log files from one RHEL6 server that don't appear to be handled elsewhere.
My question is in the second file (Forwarder/default/inputs.conf) is that changing our default index from "Main" to "test" for all forwarders getting apps from the management server?
Additionally if I search `sourcetype="WinEventLog:Security"` I have 2 other indexes (for a total of 3) getting WinEvent Security logs. Is there a way for me to tell if these are duplicates?
↧