topic Logs for ESX going into two different indexes in Getting Data In

Logs for ESX going into two different indexes

jkamdar — Tue, 11 Feb 2025 13:35:40 GMT

I have ESX hosts sending logs to rsyslog and then being ingested in Splunk.

Originally, I configured to ingest all logs (my linux servers and ESX) into one index called linux. Later, I created new index called "esx" and modified the inputs.conf on my rsyslog server to reflect in stanzas for all the esx hosts and esxvcenter (added index = esx) and restarted Splunkforwarder.

However, it looks like, I am getting data in both indexes, linux and esx.

I have checked all possible inputs.conf on my rsyslog server but can't find anywhere that directs ESX logs to "linux" index.

Any help to troubleshoot the issue would be appreciated.

Re: Logs for ESX going into two different indexes

gcusello — Tue, 11 Feb 2025 13:44:55 GMT

Hi @jkamdar ,

at first, are you sure that you are analyzing only the new data and not also the oldest?

Anyway, use btool ( https://docs.splunk.com/Documentation/Splunk/9.4.0/Troubleshooting/Usebtooltotroubleshootconfigurations ) to debug your configurations because, probably there's another input.

At least, are you sure that you're receiving logs from the same host?

Ciao.

Giuseppe

Re: Logs for ESX going into two different indexes

jkamdar — Tue, 11 Feb 2025 14:06:48 GMT

@gcusello thanks for a quick response.

>>at first, are you sure that you are analyzing only the new data and not also the oldest?

Yes, I have changes time picker for last 15 or 60 minutes to make sure it's all recent data

>> At least, are you sure that you're receiving logs from the same host?

Yes, this is a very small deployment and have only one ESX server.

>>Anyway, use btool

I meant try btool but ended up posting question before I try that. I will do that now.

Re: Logs for ESX going into two different indexes

jkamdar — Tue, 11 Feb 2025 16:48:26 GMT

@gcusello

I tried btool commands on my rsyslog server:

splunk btool inputs list and

splunk btool inputs list --debug | grep index

and the files I found are configured properly. Not sure where to look next.

Re: Logs for ESX going into two different indexes

gcusello — Tue, 11 Feb 2025 16:53:04 GMT

Hi @jkamdar ,

it's really difficoult to debug your issue without accessing your conf files and your data!

could you share your inputs.conf and props.conf?

Ciao.

Giuseppe

Re: Logs for ESX going into two different indexes

kiran_panchavat — Tue, 11 Feb 2025 17:26:44 GMT

@jkamdar

Can you send the inputs.conf and props.conf files? Also, please use the btool command to check if there are any duplicate inputs.conf configurations.

To check for duplicate inputs.conf configurations using the btool command, you can run the following:

/opt/splunk/bin/splunk btool inputs list --debug

This command will display the full path to each inputs.conf file that Splunk is reading from, making it easier to identify any duplicates.

Re: Logs for ESX going into two different indexes

jkamdar — Tue, 11 Feb 2025 19:17:42 GMT

@gcusello @kiran_panchavat thanks for your help but unfortunately, I can't share any files, sorry. I am in a air-gapped environment. I have already run splunk btool inputs list --debug | grep index . but I will try without using "grep index" and see if I can find anything weird. I haven't checked props.conf but I will check it now. As far as I know, I haven't made any change in the props.conf.

Re: Logs for ESX going into two different indexes

gcusello — Wed, 12 Feb 2025 07:17:28 GMT

Hi @jkamdar ,

cases as your is usually caused by a misconfiguration, for this reason I hint to better analyze your btool result, not using grep,

The issue could be caused by two inputs or by a transformation in props.conf.

Ciao.

Giuseppe

Re: Logs for ESX going into two different indexes

jkamdar — Wed, 12 Feb 2025 21:03:35 GMT

@gcusello I never got a chance to do it today but will try tomorrow and report back.