Forums: SplunkAdministration: Pushing Windows inputs to a different index?

I'm attempting to set up a windows instance which will act as a forwarder to our main linux indexer.

The layout looks something like this:

windows box #1 windows box #2
^ ^
||
|
windows
forwarder
|
Linux
indexer

I'd like to have all event logs gathered thrown into a specific index, while wmi monitored events go to another on the main indexer.

Is there a way to do this? I know I can do it when using the light forwarder for linux, just not sure how to do it for windows.

Brian

[Revised on Wed, 17 Mar 2010 06:41:07 -0700]

Looks like my little ascii drawing failed to translate after posting.

Yes. In the inputs.conf file, default is in etc\apps\windows\local\inputs.conf, where you enable the WinEventLog inputs, just add what index you want it to go to, e.g.:

[WinEventLog:Security]
index = myeventlogindex

for wmi, you can globally send all wmi events by doing it to where the WMI script/input is defined, default is in etc\apps\search\default\inputs.conf, you need to override in etc\apps\search\local\inputs.conf:

[script:$SPLUNK_HOME\bin\scripts\splunk-wmi.py]
index = mywmiindex

Interesting, if I set up the monitoring via the website/gui on the windows server, it doesn't put this information in the <splunkhome>/etc/system/local files. Where is it putting it?

etc\apps\search\local