https://community.splunk.com/t5/Getting-Data-In/Data-going-to-main-even-after-set-to-different-index/m-p/537843#M90135 <P>Double-check the query and settings.&nbsp; The btool output shown is for source /var/log/messages, but the query is showing source=/var/log/cron.</P> Fri, 29 Jan 2021 14:02:25 GMT richgalloway 2021-01-29T14:02:25Z https://community.splunk.com/t5/Getting-Data-In/Data-going-to-main-even-after-set-to-different-index/m-p/537813#M90129 <P>Hi all,&nbsp;</P><P>&nbsp;</P><P>I have install splunk forwarder in 1 centos device, sending to indexer.&nbsp;</P><P>From the search head, i can see data from this host but the the index is put as Main.&nbsp;</P><P>On the app, we have already specify to another index and we verified that the index is created.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1.PNG" style="width: 849px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/12735i022CB52AA95584D9/image-size/large?v=v2&amp;px=999" role="button" title="1.PNG" alt="1.PNG" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2.PNG" style="width: 930px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/12736iE167E55CF305092C/image-size/large?v=v2&amp;px=999" role="button" title="2.PNG" alt="2.PNG" /></span></P><P>Anybody know what am i missing? Already restart splunk services for both host and searchhead.&nbsp;</P><P>&nbsp;</P> Fri, 29 Jan 2021 09:47:13 GMT https://community.splunk.com/t5/Getting-Data-In/Data-going-to-main-even-after-set-to-different-index/m-p/537813#M90129 johnlzy0408 2021-01-29T09:47:13Z https://community.splunk.com/t5/Getting-Data-In/Data-going-to-main-even-after-set-to-different-index/m-p/537843#M90135 <P>Double-check the query and settings.&nbsp; The btool output shown is for source /var/log/messages, but the query is showing source=/var/log/cron.</P> Fri, 29 Jan 2021 14:02:25 GMT https://community.splunk.com/t5/Getting-Data-In/Data-going-to-main-even-after-set-to-different-index/m-p/537843#M90135 richgalloway 2021-01-29T14:02:25Z https://community.splunk.com/t5/Getting-Data-In/Data-going-to-main-even-after-set-to-different-index/m-p/537856#M90139 <P>Yea i know, I am just showing an example.&nbsp;</P><P>This is the actual settings.&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="3.PNG" style="width: 576px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/12746iB54333B991DC7949/image-size/large?v=v2&amp;px=999" role="button" title="3.PNG" alt="3.PNG" /></span></P><P>&nbsp;</P><P>This is the settings in the inputs.conf. Strangely, this is set to disabled but we are receiving from this source.&nbsp;</P> Fri, 29 Jan 2021 14:36:35 GMT https://community.splunk.com/t5/Getting-Data-In/Data-going-to-main-even-after-set-to-different-index/m-p/537856#M90139 johnlzy0408 2021-01-29T14:36:35Z https://community.splunk.com/t5/Getting-Data-In/Data-going-to-main-even-after-set-to-different-index/m-p/537858#M90140 <P>I mean for the /var/log/cron. And strangely, all my /var/logs/messages path are also not sending since this morning. i do not know what i did&nbsp;</P> Fri, 29 Jan 2021 14:40:08 GMT https://community.splunk.com/t5/Getting-Data-In/Data-going-to-main-even-after-set-to-different-index/m-p/537858#M90140 johnlzy0408 2021-01-29T14:40:08Z https://community.splunk.com/t5/Getting-Data-In/Data-going-to-main-even-after-set-to-different-index/m-p/537871#M90142 <P>If you're receiving data for a disabled input then the inputs.conf either has not been loaded (restart the forwarder) or is overridden by another inputs.conf file (btool should show that).&nbsp; The same goes for data being sent to the wrong index.</P> Fri, 29 Jan 2021 16:03:03 GMT https://community.splunk.com/t5/Getting-Data-In/Data-going-to-main-even-after-set-to-different-index/m-p/537871#M90142 richgalloway 2021-01-29T16:03:03Z