TA-SymantecWebSecurityService pulls data from Symantec Web Security Service via REST endpoint. I installed Symantec Web Security Service App for Splunk and TA, events are indexing in "main" index only. I defined separate index for this App and referenced in input.conf. Still can not figure out why events are indexing in main index. Any lead will be helpful. Thank you!
@scottprigge posted this answer in his linked thread, but I wanted to post the text here for those coming in from Google:
Thank you for this post! I didn't even give those batch inputs a second thought when I first saw them. We struggled with this same issue and once I read your post, I immediately understood what the issue was and how to fix it.
For anyone else who might read this, the TA works in two steps:
1) The 'scwss-poll' modular input of inputs.conf pulls down an access log from the internet-based web service and drops it on the Splunk filesystem in the '/opt/splunk/var/spool/splunk/' directory.
2) The batch inputs of inputs.conf index the files.
So if you want to change the index name, you need to add the custom 'index = ' parameter to the batch input, since that is the input that indexes the events.
Thanks again!
The answer to this question lies in another post on this topic. See https://answers.splunk.com/answers/735808/allowed-customisation-of-target-index-is-not-used.html
@scottprigge - thanks!
Have you defined the local/inputs.conf with new index on the TA? [ data collection point]? You can also run the splunk btool to check if your inputs.conf if picked up/precedence.
@lakshman239 - yes I defined new index in local inputs.conf, however there were batch input which required new index definition -
[batch://$SPLUNK_HOME/var/spool/splunk/...stash_ta_scwss_logs.zip]
index = new index
The input gets created in the app not the TA
@adobrzeniecki_splunk yes, when you defined modular input through GUI it gets created in App however I defined through CLI in TA under local/inputs.conf, that worked too!
Dear all,
Small doubt for this topic.
If some custom index name given in sourcetype instead of "main" index, whether Index need to be created by CLI or it created by the index API ?