Hi ,
I have created indexer{2 indexers] in AWS environment with 2 fowarder and 1 search heads. If I create indexes on a search head/indexers using GUI will the configuration as shown below.
I am not able to send access.log from /opt/log/www*/access.log to web index ,please advice how can i fix it.
However if it put to main index it works but not to any other newly created index .
Configuration
------------------
Search Head
——-------------
deployment apps
----------------------
/opt/splunk/etc/deployment-apps
[root@ip-172-31-19-169 deployment-apps]# ls -plrt
total 8
-r--r--r-- 1 506 506 307 Jul 10 03:26 README
drwx------ 4 root root 4096 Aug 17 11:06 _server_app_eng_webservers/
[root@ip-172-31-19-169 deployment-ap
/opt/splunk/etc/deployment-apps/_server_app_eng_webservers/local/
Inputs.conf
---------------
[root@ip-172-31-19-169 local]# cat inputs.conf
[monitor:///opt/log]
blacklist = secure.log
disabled = false
index = web
sourcetype = access_combined_wcookie
whitelist = www*
[root@ip-172-31-19-169 local]#
IDX
——
[root@ip-172-31-29-204 etc]# cat ./apps/search/local/indexes.conf
[web]
coldPath = $SPLUNK_DB/web/colddb
coldToFrozenDir = /opt/fozen/web
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB/web/db
maxDataSize = 300
maxTotalDataSizeMB = 6000
thawedPath = $SPLUNK_DB/web/thaweddb
[root@ip-172-31-29-204 etc]
——
FWD
——
[root@ip-172-31-17-211 www1]# pwd
/opt/log/www1
-rw-r--r-- 1 root root 315210 Aug 17 05:21 access.log
[root@ip-172-31-17-211 www1]#
——
regards
smdasim
↧