Hi,
I have 3 heavy forwarders which are receiving Windows event logs using the Splunk Add-on for Microsoft Windows. This feeds into Splunk Cloud.
Currently all logs are going into 'wineventlog". How can I set separate indexes by host?
Say I wanted Windows event logs from "financial_server_1" to go to an index called "financial" and logs from "security_server_1" to go to an index called "security".
I believe this can be done with a stanza in C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local, but how can I seperate this by host name?
Thanks,
JG
↧