https://community.splunk.com/t5/Getting-Data-In/Unable-to-index-mulesoft-logs-from-Main-index-to-another/m-p/366964#M93802 <P>Now we are getting mulesoft logs to newly created index on indexers but with other sourcetype also like syslogs . So we want to exclude sourcetype "syslogs" from newly created index.</P> Thu, 30 Nov 2017 21:42:40 GMT Swkadam 2017-11-30T21:42:40Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-index-mulesoft-logs-from-Main-index-to-another/m-p/366960#M93798 <P>Hi,</P> <P>We have integrated Mulesoft with splunk and logs are sending to the heavy forwarder and indexing into "Main" index then forwarding to the indexers. </P> <P>On Heavy forwarder we have created new index and assigned into the Http collector event but still logs are not indexing into the newly created index.</P> <P>So do i need to create same new index on indexers as all indexers are in cluster mode.</P> Sat, 11 Nov 2017 15:37:45 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-index-mulesoft-logs-from-Main-index-to-another/m-p/366960#M93798 Swkadam 2017-11-11T15:37:45Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-index-mulesoft-logs-from-Main-index-to-another/m-p/366961#M93799 <P>The issue of the HEC events not being written to the newly created index on the HF is unrelated to the indexing tier. For the sake of clarity, can you confirm that you:</P> <OL> <LI>Created a new index</LI> <LI>Edited the HEC from Data Inputs and in "Select Allowed Indexes" you removed Main and added your newly created index (i.e. - new_index)</LI> <LI>When you search index="new_index" you see no events? You tried running a curl test with the HEC token and there are still no events in there?</LI> </OL> <P>Remember, new created index may not be searched by default based on the index configuration and other RBAC setting.</P> Sat, 11 Nov 2017 20:10:49 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-index-mulesoft-logs-from-Main-index-to-another/m-p/366961#M93799 ashpatel_splunk 2017-11-11T20:10:49Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-index-mulesoft-logs-from-Main-index-to-another/m-p/366962#M93800 <P>EDIT: I moved this to a comment: ashpatel's answer is perfectly fine, so now that it's published it, he should get the credit here. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> I didn't just delete the below because it could still be useful.</P> <P>In fact, I think you need to do two additional things.</P> <P>1) Create the index on your indexers. That's where the data is going, so that's where the indexes the data is going in to need to be.</P> <P>2) Also you might need to edit the HTTP Event Collector and change it to allow it to index into that index. When you created it, if the index where these events are supposed to go you wouldn't have been able to pick it as an allowed index for that HEC to send events to, so you have to go back and reselect that again.</P> <P>Then I think it should work.</P> <P>Let us know how that goes!</P> <P>-Rich</P> Sun, 12 Nov 2017 02:28:02 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-index-mulesoft-logs-from-Main-index-to-another/m-p/366962#M93800 Richfez 2017-11-12T02:28:02Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-index-mulesoft-logs-from-Main-index-to-another/m-p/366963#M93801 <P>Thanks for your valuable reply.</P> <P>It is working now.</P> Mon, 13 Nov 2017 05:27:05 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-index-mulesoft-logs-from-Main-index-to-another/m-p/366963#M93801 Swkadam 2017-11-13T05:27:05Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-index-mulesoft-logs-from-Main-index-to-another/m-p/366964#M93802 <P>Now we are getting mulesoft logs to newly created index on indexers but with other sourcetype also like syslogs . So we want to exclude sourcetype "syslogs" from newly created index.</P> Thu, 30 Nov 2017 21:42:40 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-index-mulesoft-logs-from-Main-index-to-another/m-p/366964#M93802 Swkadam 2017-11-30T21:42:40Z