All Apps and Add-ons
Highlighted

Allowed customisation of target index is not used

Path Finder

Hello,

In the » Data inputs » Symantec Web Security Service Configuration there is a » More settings
where it seems possible to specify a custom Index

But this value is never used after and at the end the logs are still going to index=main

The only way to do that customization is to add a local file, and put target index info here :
/opt/splunk/etc/apps/TA-SymantecWebSecurityService/local/inputs.conf

[batch://$SPLUNK_HOME/var/spool/splunk/...stash_ta_scwss_logs.zip]
index = bluecoat
[batch://$SPLUNK_HOME\var\spool\splunk\...stash_ta_scwss_logs.zip]
index = bluecoat

Best regards

Highlighted

Re: Allowed customisation of target index is not used

Builder

Thank you for this post! I didn't even give those batch inputs a second thought when I first saw them. We struggled with this same issue and once I read your post, I immediately understood what the issue was and how to fix it.

For anyone else who might read this, the TA works in two steps:
1) The 'scwss-poll' modular input of inputs.conf pulls down an access log from the internet-based web service and drops it on the Splunk filesystem in the '/opt/splunk/var/spool/splunk/' directory.
2) The batch inputs of inputs.conf index the files.

So if you want to change the index name, you need to add the custom 'index = ' parameter to the batch input, since that is the input that indexes the events.

Thanks again!

0 Karma
Highlighted

Re: Allowed customisation of target index is not used

New Member

Tried adding the stanza for custom index and still not seeing data in that index.

0 Karma