https://community.splunk.com/t5/Getting-Data-In/Why-my-data-go-in-the-wrong-Index/m-p/189020#M98511 <P>There are 4 possibilities:</P> <P>1: Inside your new inputs.conf you left <CODE>index=Index_test_03</CODE> out of one of your stanzas.<BR /> 2: You have a precedence problem where your configurations are not being used because there are configurations with <CODE>index=main</CODE> somewhere else. The most likely place is in the <CODE>learned</CODE> app so check there. Also make sure that your configurations are inside your app (not <CODE>$SPLUNK_HOME/etc/system/*/inputs.conf</CODE>), such as <CODE>$SPLUNK_HOME/etc/apps/myapp/default/inputs.conf</CODE>.<BR /> 3: You have the correct configuration files but you have not deployed them to ALL of your forwarders.<BR /> 4: You have done everything else correctly but you have not restarted the Splunk instance on all of your forwarders (which must be done after every change to <CODE>inputs.conf</CODE> that you make while debugging this).</P> <P>In any case, you should be able to sort through this by using <CODE>btool</CODE> on your forwarders to list out your inputs.conf like this:</P> <PRE><CODE>$SPLUNK_HOME/bin/splunk cmd btool inputs list --debug </CODE></PRE> Thu, 02 Jul 2015 14:12:12 GMT woodcock 2015-07-02T14:12:12Z https://community.splunk.com/t5/Getting-Data-In/Why-my-data-go-in-the-wrong-Index/m-p/189013#M98504 <P>I have configured Windows logs input to a certain index Index_test_03, but very few data - tens - go there. Most of them - thousands - go to the Main Index, something I have not configured !</P> <P>I also noticed that the index I create go for App=Launcher, not Search ! The indexes I have created before are of App=Search. I have not changed anything for this to happen</P> <P>can you advise</P> <P>regards<BR /> Altin</P> Mon, 28 Sep 2020 20:27:26 GMT https://community.splunk.com/t5/Getting-Data-In/Why-my-data-go-in-the-wrong-Index/m-p/189013#M98504 altink 2020-09-28T20:27:26Z https://community.splunk.com/t5/Getting-Data-In/Why-my-data-go-in-the-wrong-Index/m-p/189014#M98505 <P>How are you collecting the information? Make sure that however you define the input for the Windows logs that you specify the index in the inputs.conf file, otherwise they will go to "main".</P> Thu, 02 Jul 2015 12:24:59 GMT https://community.splunk.com/t5/Getting-Data-In/Why-my-data-go-in-the-wrong-Index/m-p/189014#M98505 alacercogitatus 2015-07-02T12:24:59Z https://community.splunk.com/t5/Getting-Data-In/Why-my-data-go-in-the-wrong-Index/m-p/189015#M98506 <P>The problem is that most of them go to Main Index, while very few go to what I would be expecting - ie my index.<BR /> Shouldn't they go all to only one index ? why they are split ?</P> <P>thanks<BR /> Altin</P> Thu, 02 Jul 2015 12:33:52 GMT https://community.splunk.com/t5/Getting-Data-In/Why-my-data-go-in-the-wrong-Index/m-p/189015#M98506 altink 2015-07-02T12:33:52Z https://community.splunk.com/t5/Getting-Data-In/Why-my-data-go-in-the-wrong-Index/m-p/189016#M98507 <P>ps. I am using Universal Forwarders installed locally on windows servers to retrieve log data</P> Thu, 02 Jul 2015 12:38:01 GMT https://community.splunk.com/t5/Getting-Data-In/Why-my-data-go-in-the-wrong-Index/m-p/189016#M98507 altink 2015-07-02T12:38:01Z https://community.splunk.com/t5/Getting-Data-In/Why-my-data-go-in-the-wrong-Index/m-p/189017#M98508 <P>Please use the commenting feature, instead of answering the question.</P> <P>Verify that your indexes are set on the inputs.</P> <P>Open an Administrative Command Prompt, and type this:</P> <PRE><CODE>"C:\Program Files\Splunk\bin\splunk.exe cmd btool inputs list WinEventLog --debug " </CODE></PRE> <P>Make sure that all of the Inputs have the correct index definition defined.</P> Thu, 02 Jul 2015 12:40:49 GMT https://community.splunk.com/t5/Getting-Data-In/Why-my-data-go-in-the-wrong-Index/m-p/189017#M98508 alacercogitatus 2015-07-02T12:40:49Z https://community.splunk.com/t5/Getting-Data-In/Why-my-data-go-in-the-wrong-Index/m-p/189018#M98509 <P>I'd verify your universal forwarder configuration. For the windows event logs you are specifying in inputs.conf, you should have an "index=Index_test_03" configuration set.</P> <P>The main index is the default, and if you have events showing up there it means, for those inputs, they don't have any other index specified.</P> Mon, 28 Sep 2020 20:27:53 GMT https://community.splunk.com/t5/Getting-Data-In/Why-my-data-go-in-the-wrong-Index/m-p/189018#M98509 muebel 2020-09-28T20:27:53Z https://community.splunk.com/t5/Getting-Data-In/Why-my-data-go-in-the-wrong-Index/m-p/189019#M98510 <P>could you please update your "inputs.conf" and "props.conf" in your question, so we can see how individual events are parsed?</P> Thu, 02 Jul 2015 13:03:57 GMT https://community.splunk.com/t5/Getting-Data-In/Why-my-data-go-in-the-wrong-Index/m-p/189019#M98510 koshyk 2015-07-02T13:03:57Z https://community.splunk.com/t5/Getting-Data-In/Why-my-data-go-in-the-wrong-Index/m-p/189020#M98511 <P>There are 4 possibilities:</P> <P>1: Inside your new inputs.conf you left <CODE>index=Index_test_03</CODE> out of one of your stanzas.<BR /> 2: You have a precedence problem where your configurations are not being used because there are configurations with <CODE>index=main</CODE> somewhere else. The most likely place is in the <CODE>learned</CODE> app so check there. Also make sure that your configurations are inside your app (not <CODE>$SPLUNK_HOME/etc/system/*/inputs.conf</CODE>), such as <CODE>$SPLUNK_HOME/etc/apps/myapp/default/inputs.conf</CODE>.<BR /> 3: You have the correct configuration files but you have not deployed them to ALL of your forwarders.<BR /> 4: You have done everything else correctly but you have not restarted the Splunk instance on all of your forwarders (which must be done after every change to <CODE>inputs.conf</CODE> that you make while debugging this).</P> <P>In any case, you should be able to sort through this by using <CODE>btool</CODE> on your forwarders to list out your inputs.conf like this:</P> <PRE><CODE>$SPLUNK_HOME/bin/splunk cmd btool inputs list --debug </CODE></PRE> Thu, 02 Jul 2015 14:12:12 GMT https://community.splunk.com/t5/Getting-Data-In/Why-my-data-go-in-the-wrong-Index/m-p/189020#M98511 woodcock 2015-07-02T14:12:12Z https://community.splunk.com/t5/Getting-Data-In/Why-my-data-go-in-the-wrong-Index/m-p/189021#M98512 <P>I have a Windows 2003 box which in Settings/Add Data/Forward has been mapped to "index_test_01". I also have a Windows 2008 box which in the same is mapped to "index_test_03".</P> <P>I have done no configuration in the Universal Forwarders - except Splunk server IP and two ports, the latest during install.</P> <P>"index_test_01" of Win 2003 is populated, while "index_test_03" of Win 2008 gets very few data, most goes to index main.</P> <P>Same config on universal forwards, same config on server - results are different.</P> <P>Can anyone help ?</P> <P>regards<BR /> Altin</P> Mon, 28 Sep 2020 20:28:26 GMT https://community.splunk.com/t5/Getting-Data-In/Why-my-data-go-in-the-wrong-Index/m-p/189021#M98512 altink 2020-09-28T20:28:26Z https://community.splunk.com/t5/Getting-Data-In/Why-my-data-go-in-the-wrong-Index/m-p/189022#M98513 <P>I have configured the respective in each Universal Forwarder and the data goes to the right index.<BR /> Thank you everyone for the support</P> <P>regards<BR /> Altin</P> Fri, 03 Jul 2015 12:25:47 GMT https://community.splunk.com/t5/Getting-Data-In/Why-my-data-go-in-the-wrong-Index/m-p/189022#M98513 altink 2015-07-03T12:25:47Z https://community.splunk.com/t5/Getting-Data-In/Why-my-data-go-in-the-wrong-Index/m-p/189023#M98514 <P>Please click "Accept" on the answer that most lead you to your solution..</P> Tue, 07 Jul 2015 04:43:11 GMT https://community.splunk.com/t5/Getting-Data-In/Why-my-data-go-in-the-wrong-Index/m-p/189023#M98514 woodcock 2015-07-07T04:43:11Z