Forums: SplunkAdministration: Directing client data to a new Data Store on Splunk Server

I have a client running Oracle and have the Splunk forwarding data from the client only to the Splunk indexing server. I want to keep this incoming data in a seperate Data Store called Oracle (which I have already created) and out of the Main.
How do I tell Splunk to put the Oracle data from host "zoo" into a new Data Store called "Oracle"? I have looked in the ../local/index.conf file but nothing seems to jump out at me. Is this the correct location to make this data from a client redirect to Oracle Data Store instead of the Main Data Store?

Regards,

Paul Stein

Paul,

Try this on the receiver:

local/indexes.conf

[oracle]
homePath = /path_to_your_datastore/db
coldPath = /path_to_your_datastore/colddb
thawedPath = /path_to_your_datastore/thaweddb

Restart the receiver from the CLI, answer yes if required.

Then, on the zoo forwarder, add this to each input in inputs.conf:

index=oracle

Restart the forwarder. Let me know if you have trouble.

http://www.splunk.com/doc/latest/admin/RouteEventToIndex

ARaitz,
This solved my issue.
One simple heads up, after adding the "Oracle" Data Store the three lines above were automatically added to the Receiver ../local/index.conf in the [oracle] stanza.

I did add the index = oracle to each line that needed to be sent to the Oracle Data Store.

No matter what Tony Ayaz says, you are the Bomb!....not theBaum, but the Bomb!

Thank you again.

Paul

[Revised on Thu, 08 May 2008 13:15:39 -0700]

This solved the issue on the short term. After going

ARaitz,
Considering that you need to edit the ../local/inputs.conf file in order to get the index = oracle into the correct tail stanza and if you don't data will leak into the index = main data store before you can correct this, would it be prudent to have an option during setup of a new tail to allow to choose which Data Store you wish to send the data to?

Future "dot" upgrade?

Paul

I guess it was a short term solution. After believing it worked I doubled back and added the remaining 12 paths to Oracle log files; inserted the index = oracle on the client and restarted both receiving and sending Splunk instances. Much to my dismay I stopped getting any more data into the Oracle Data Store.

Is there a Maximum number of tails that can be directed to the index = oracle data stores?

For a short time when I thought this worked I only had (3) dir's tailed.

Any thought before opening a Ticket to debug this?

Ps. I made a point of checking that perms were set to a 644 minimum before restarting Splunk to ensure Splunk could actually read all the files.....to no avail

Paul

Paul,

Nope, there is no maximum to how many tails can be directed to index=oracle. It seems weird that it worked on 3 and then not on 12.

I would open a support ticket so they can get you conf files and logs. I do agree on your point about an option to specify a target index when setting up inputs - you should definately request that in the ticket.

-Alex

PS - Tony thinks I am the bomb whenever it is in his best interest :)

Patience Yago.......Patience. After waiting about 45 minutes I started to see the tails finally kick in. Maybe it was simply due to the amount of data being asked to tail and then index at one time.
Regardless, I am now starting to see my tails, almost 3500 of them, reporting in.

Yago, out.