topic Index changes after Device IP changed and hardware refreshed in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Index-changes-after-Device-IP-changed-and-hardware-refreshed/m-p/661290#M111782 <P>Hi Community,</P><P>&nbsp;</P><P>One of the log source (e.g. index=my_index) at my company's splunk became inter=main. After multiple investigation, i found that Infrastructure Team has refreshed the device to a new hardware due to product EOL (same brand, same product, e.g. Palo Alto 3020 to PA3220). Also, the device IP is changed.</P><P>Thus, i have modified the monitoring path at inputs.conf in Add-on and distribute to HF by deployment server.</P><P>&nbsp;</P><P>Here is the example for what i modified:</P><P>&nbsp;</P><P>[monitor:///siem/data/syslog/192.168.1.101/*] #original ip was 192.168.1.100&nbsp;</P><P>disabled = false&nbsp;</P><P>index = my_index</P><P>sourcetype = my:sourcetype</P><P>host_segment = 4</P><P>&nbsp;</P><P>After such changes, i tried to verify the result on HF, the inputs.conf was successfully update to the new version.&nbsp;</P><P>&nbsp;</P><P>However, the logs remain to index=main when searching on Search Head after the changes i did above.</P><P>&nbsp;</P><P>Anyone know if any other thing i need to modify? Or else there are other root cause that making the logs fall under wrong index apart from the ip changes?</P><P>&nbsp;</P> Thu, 19 Oct 2023 04:27:58 GMT splunk_newbie3 2023-10-19T04:27:58Z Index changes after Device IP changed and hardware refreshed https://community.splunk.com/t5/Getting-Data-In/Index-changes-after-Device-IP-changed-and-hardware-refreshed/m-p/661290#M111782 <P>Hi Community,</P><P>&nbsp;</P><P>One of the log source (e.g. index=my_index) at my company's splunk became inter=main. After multiple investigation, i found that Infrastructure Team has refreshed the device to a new hardware due to product EOL (same brand, same product, e.g. Palo Alto 3020 to PA3220). Also, the device IP is changed.</P><P>Thus, i have modified the monitoring path at inputs.conf in Add-on and distribute to HF by deployment server.</P><P>&nbsp;</P><P>Here is the example for what i modified:</P><P>&nbsp;</P><P>[monitor:///siem/data/syslog/192.168.1.101/*] #original ip was 192.168.1.100&nbsp;</P><P>disabled = false&nbsp;</P><P>index = my_index</P><P>sourcetype = my:sourcetype</P><P>host_segment = 4</P><P>&nbsp;</P><P>After such changes, i tried to verify the result on HF, the inputs.conf was successfully update to the new version.&nbsp;</P><P>&nbsp;</P><P>However, the logs remain to index=main when searching on Search Head after the changes i did above.</P><P>&nbsp;</P><P>Anyone know if any other thing i need to modify? Or else there are other root cause that making the logs fall under wrong index apart from the ip changes?</P><P>&nbsp;</P> Thu, 19 Oct 2023 04:27:58 GMT https://community.splunk.com/t5/Getting-Data-In/Index-changes-after-Device-IP-changed-and-hardware-refreshed/m-p/661290#M111782 splunk_newbie3 2023-10-19T04:27:58Z Re: Index changes after Device IP changed and hardware refreshed https://community.splunk.com/t5/Getting-Data-In/Index-changes-after-Device-IP-changed-and-hardware-refreshed/m-p/661296#M111783 <P>Hi</P><P>your changes apply only to new events not to those which are already indexed.</P><P>r. Ismo</P> Thu, 19 Oct 2023 06:16:40 GMT https://community.splunk.com/t5/Getting-Data-In/Index-changes-after-Device-IP-changed-and-hardware-refreshed/m-p/661296#M111783 isoutamo 2023-10-19T06:16:40Z