TA-SymantecWebSecurityService pulls data from Symantec Web Security Service via REST endpoint. I installed Symantec Web Security Service App for Splunk and TA, events are indexing in "main" index only. I defined separate index for this App and referenced in input.conf. Still can not figure out why events are indexing in main index. Any lead will be helpful. Thank you!
@scottprigge posted this answer in his linked thread, but I wanted to post the text here for those coming in from Google:
Thank you for this post! I didn't even give those batch inputs a second thought when I first saw them. We struggled with this same issue and once I read your post, I immediately understood what the issue was and how to fix it.
For anyone else who might read this, the TA works in two steps:
1) The 'scwss-poll' modular input of inputs.conf pulls down an access log from the internet-based web service and drops it on the Splunk filesystem in the '/opt/splunk/var/spool/splunk/' directory.
2) The batch inputs of inputs.conf index the files.
So if you want to change the index name, you need to add the custom 'index = ' parameter to the batch input, since that is the input that indexes the events.
@lakshman239 - yes I defined new index in local inputs.conf, however there were batch input which required new index definition -
index = new index