topic Re: For Symantec Web Security Service App for Splunk and TA - Events are getting indexed in "main" index only in All Apps and Add-ons

For Symantec Web Security Service App for Splunk and TA: Why are events getting indexed in "main" index only?

pateriaak — Tue, 07 Feb 2023 21:08:07 GMT

TA-SymantecWebSecurityService pulls data from Symantec Web Security Service via REST endpoint. I installed Symantec Web Security Service App for Splunk and TA, events are indexing in "main" index only. I defined separate index for this App and referenced in input.conf. Still can not figure out why events are indexing in main index. Any lead will be helpful. Thank you!

Re: For Symantec Web Security Service App for Splunk and TA - Events are getting indexed in "main" index only

lakshman239 — Fri, 03 May 2019 10:41:15 GMT

Have you defined the local/inputs.conf with new index on the TA? [ data collection point]? You can also run the splunk btool to check if your inputs.conf if picked up/precedence.

Re: For Symantec Web Security Service App for Splunk and TA - Events are getting indexed in "main" index only

adobrzeniecki_s — Fri, 03 May 2019 14:21:21 GMT

The input gets created in the app not the TA

Re: For Symantec Web Security Service App for Splunk and TA - Events are getting indexed in "main" index only

_smp_ — Mon, 06 May 2019 17:16:42 GMT

The answer to this question lies in another post on this topic. See https://answers.splunk.com/answers/735808/allowed-customisation-of-target-index-is-not-used.html

Re: For Symantec Web Security Service App for Splunk and TA - Events are getting indexed in "main" index only

pateriaak — Wed, 30 Sep 2020 00:21:44 GMT

@lakshman239 - yes I defined new index in local inputs.conf, however there were batch input which required new index definition -

[batch://$SPLUNK_HOME/var/spool/splunk/...stash_ta_scwss_logs.zip]
index = new index

Re: For Symantec Web Security Service App for Splunk and TA - Events are getting indexed in "main" index only

pateriaak — Mon, 06 May 2019 18:15:11 GMT

@adobrzeniecki_splunk yes, when you defined modular input through GUI it gets created in App however I defined through CLI in TA under local/inputs.conf, that worked too!

Re: For Symantec Web Security Service App for Splunk and TA - Events are getting indexed in "main" index only

pateriaak — Mon, 06 May 2019 18:16:54 GMT

@scottprigge - thanks!

Re: For Symantec Web Security Service App for Splunk and TA - Events are getting indexed in "main" index only

nkpiquette — Mon, 28 Oct 2019 19:34:51 GMT

@scottprigge posted this answer in his linked thread, but I wanted to post the text here for those coming in from Google:

Thank you for this post! I didn't even give those batch inputs a second thought when I first saw them. We struggled with this same issue and once I read your post, I immediately understood what the issue was and how to fix it.

For anyone else who might read this, the TA works in two steps:
1) The 'scwss-poll' modular input of inputs.conf pulls down an access log from the internet-based web service and drops it on the Splunk filesystem in the '/opt/splunk/var/spool/splunk/' directory.
2) The batch inputs of inputs.conf index the files.

So if you want to change the index name, you need to add the custom 'index = ' parameter to the batch input, since that is the input that indexes the events.

Thanks again!

Re: For Symantec Web Security Service App for Splunk and TA - Events are getting indexed in "main" index only

NDabhi21 — Tue, 07 Feb 2023 13:18:45 GMT

Dear all,

Small doubt for this topic.

If some custom index name given in sourcetype instead of "main" index, whether Index need to be created by CLI or it created by the index API ?