https://community.splunk.com/t5/Monitoring-Splunk/Log-keeps-sending-to-index-main/m-p/522626#M4525 <P>Try <EM>btool </EM>on the source machine to check whether any apps/local inputs.conf configured with index main</P><P>Reference : <A href="https://docs.splunk.com/Documentation/Splunk/8.0.6/Troubleshooting/Usebtooltotroubleshootconfigurations" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.0.6/Troubleshooting/Usebtooltotroubleshootconfigurations</A></P> Fri, 02 Oct 2020 05:47:00 GMT renjith_nair 2020-10-02T05:47:00Z https://community.splunk.com/t5/Monitoring-Splunk/Log-keeps-sending-to-index-main/m-p/522604#M4524 <P>Hello,&nbsp;</P><P>I been trying to figure this out for the past 2 days now and I cannot seem to find which config file is making my host send logs to index=main. I have 4 other machines in forward management that have the same application sending logs to the correct index except for this system. It seems to send Application logs to index=main but all other security logs go to index=windows. I double checked the apps folder on that machine&nbsp; and compared it with a machine that is not sending to index main and also did the same in the etc/system/local.&nbsp;&nbsp;</P><P>&nbsp;</P><P>This is a single deployment we have a single search head and single indexer.&nbsp;</P> Thu, 01 Oct 2020 23:00:50 GMT https://community.splunk.com/t5/Monitoring-Splunk/Log-keeps-sending-to-index-main/m-p/522604#M4524 splunktrainingu 2020-10-01T23:00:50Z https://community.splunk.com/t5/Monitoring-Splunk/Log-keeps-sending-to-index-main/m-p/522626#M4525 <P>Try <EM>btool </EM>on the source machine to check whether any apps/local inputs.conf configured with index main</P><P>Reference : <A href="https://docs.splunk.com/Documentation/Splunk/8.0.6/Troubleshooting/Usebtooltotroubleshootconfigurations" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.0.6/Troubleshooting/Usebtooltotroubleshootconfigurations</A></P> Fri, 02 Oct 2020 05:47:00 GMT https://community.splunk.com/t5/Monitoring-Splunk/Log-keeps-sending-to-index-main/m-p/522626#M4525 renjith_nair 2020-10-02T05:47:00Z https://community.splunk.com/t5/Monitoring-Splunk/Log-keeps-sending-to-index-main/m-p/522637#M4527 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/59944">@splunktrainingu</a>&nbsp;..<BR />Q -&nbsp;<SPAN>I cannot seem to find which config file is making my host send logs to index=main.</SPAN></P><P>Answers:<BR />1. on the forwarder(s), you can run the btool command.</P><P>2. on the forwarder(s), you can view the inputs.conf file directly and see which log file is sending data to which index.</P><P>3. on splunk GUI, when you search for the logs from a host/forwarder, you can list down the source, sourcetype as well.<BR />for example:&nbsp;</P><P>index=main host=UF-hostname | table source sourcetype index _raw _time</P><P><BR />(PS - i have given around 500+ karma points so far, received badge for that, if an answer helped you, a karma point would be nice!. we all should start "Learn, Give Back, Have Fun")</P> Fri, 02 Oct 2020 07:43:22 GMT https://community.splunk.com/t5/Monitoring-Splunk/Log-keeps-sending-to-index-main/m-p/522637#M4527 inventsekar 2020-10-02T07:43:22Z https://community.splunk.com/t5/Monitoring-Splunk/Log-keeps-sending-to-index-main/m-p/522758#M4535 <P>Thank you! from now on I am going to use this! It was so easy to see for some reason there was a inputs.conf in SplunkUniversalforwarder/etc/app/splunkuniversalforwarder/local/inputs.conf</P><P>&nbsp;</P><P>&nbsp;</P><P>I used the command</P><PRE>splunk btool inputs list --debug</PRE> Fri, 02 Oct 2020 23:44:17 GMT https://community.splunk.com/t5/Monitoring-Splunk/Log-keeps-sending-to-index-main/m-p/522758#M4535 splunktrainingu 2020-10-02T23:44:17Z