Data is moved to index=main

psriyanka — Wed, 04 Dec 2019 11:06:34 GMT

In my environment, I have installed an application but instead of getting the data to a particular index which is assigned and created for that particular application in splunk, its forwarding the data to index=main.

Have someone faced this issue, then pls suggest what needs to be done so that the data can be moved to the right index.

Re: Data is moved to index=main

gcusello — Wed, 04 Dec 2019 13:04:15 GMT

Hi @psriyanka,
could you share any additional info?
how do you get the data: universal forwarder, syslog or what else?
which data are you speaking of?
could you share the inputs.conf that you're using?
what's your architecture, have you Heavy Forwarders?

Ciao.
Giuseppe

Re: Data is moved to index=main

adonio — Wed, 04 Dec 2019 14:32:15 GMT

the reason for it is that you did not specify the index on your inputs.conf file
the default index when the index parameter is not set, is: main
setup inputs.conf correctly and enjoy the data in the right index

Re: Data is moved to index=main

psriyanka — Wed, 30 Sep 2020 03:16:37 GMT

Its a distributed environment, I have installed Azure Monitor Add-on for Splunk on Search Head and configured the input under setting in the splunk UI and the problem is that the data is not completely shown and the data is going to index=main, whereas I have configured the index=monitorazure to this particular application.

Have set up the Azure Monitor Add-on for Splunk to get data for the below
input for Activity Logs
input for Diagnostics Logs
input for Metrics

splunk 86420 0 0.0 00:00:00 0.0 2788 113148 ? S 00:01 bash /opt/splunk/etc/apps/AzureMonitorAddonForSplunk-master/bin/azure_diagnostic_logs.sh
CPUTIME = 00:00:00PercentProcessorTime = 0.0eventtype = ps os oshost performance process ps report successhost = ip-10-20-201-222index = mainlinecount = 1process_cpu_used_percent = 0.0process_name = bashpunct = __________________________________________________source = pssourcetype = pssplunk_server = ip-XXXXXXXXXXX splunk_server_group = dmc_group_indexertag = os tag = oshost tag = performance tag = process tag = ps tag = report tag = success

splunk 84594 3 0.0 00:00:00 0.0 3104 115272 ? S 00:01 bash /opt/splunk/etc/apps/AzureMonitorAddonForSplunk-master/bin/azure_activity_log.sh
CPUTIME = 00:00:00PercentProcessorTime = 0.0eventtype = ps os oshost performance process ps report successhost = ip-10-20-201-164index = mainlinecount = 1process_cpu_used_percent = 0.0process_name = bashpunct = __________________________________________________source = pssourcetype = pssplunk_server = ip-XXXXXXXXXXXsplunk_server_group = dmc_group_indexertag = os tag = oshost tag = performance tag = process tag = ps tag = report tag = success

splunk 84663 2 0.0 00:00:00 0.0 15836 133984 ? R 00:00 python2.7 /opt/splunk/etc/apps/AzureMonitorAddonForSplunk-master/bin/azure_monitor_metrics.py
CPUTIME = 00:00:00PercentProcessorTime = 0.0eventtype = ps os oshost performance process ps report successhost = ip-10-20-201-164index = mainlinecount = 1process_cpu_used_percent = 0.0process_name = python2.7punct = __________________________________________________source = pssourcetype = pssplunk_server = ip-XXXXXXXXXXXsplunk_server_group = dmc_group_indexertag = os tag = oshost tag = performance tag = process tag = ps tag = report tag = success

INPUT.CONF File:

[http://hhh]
disabled = 0
index = monitorazure
indexes = monitorazure
token = XXXX

topic Re: Data is moved to index=main in Getting Data In

Data is moved to index=main

Re: Data is moved to index=main

Re: Data is moved to index=main

Re: Data is moved to index=main