All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

For Symantec Web Security Service App for Splunk and TA: Why are events getting indexed in "main" index only?

pateriaak
Explorer
‎05-02-2019 11:18 AM

TA-SymantecWebSecurityService pulls data from Symantec Web Security Service via REST endpoint. I installed Symantec Web Security Service App for Splunk and TA, events are indexing in "main" index only. I defined separate index for this App and referenced in input.conf. Still can not figure out why events are indexing in main index. Any lead will be helpful. Thank you!

Labels (1)
0 Karma
Reply

nkpiquette
Path Finder
‎10-28-2019 12:34 PM

@scottprigge posted this answer in his linked thread, but I wanted to post the text here for those coming in from Google:

Thank you for this post! I didn't even give those batch inputs a second thought when I first saw them. We struggled with this same issue and once I read your post, I immediately understood what the issue was and how to fix it.

For anyone else who might read this, the TA works in two steps:
1) The 'scwss-poll' modular input of inputs.conf pulls down an access log from the internet-based web service and drops it on the Splunk filesystem in the '/opt/splunk/var/spool/splunk/' directory.
2) The batch inputs of inputs.conf index the files.

So if you want to change the index name, you need to add the custom 'index = ' parameter to the batch input, since that is the input that indexes the events.

Thanks again!

Reply

_smp_
Builder
‎05-06-2019 10:16 AM

The answer to this question lies in another post on this topic. See https://answers.splunk.com/answers/735808/allowed-customisation-of-target-index-is-not-used.html

0 Karma
Reply

pateriaak
Explorer
‎05-06-2019 11:16 AM

@scottprigge - thanks!

0 Karma
Reply

lakshman239
Influencer
‎05-03-2019 03:41 AM

Have you defined the local/inputs.conf with new index on the TA? [ data collection point]? You can also run the splunk btool to check if your inputs.conf if picked up/precedence.

0 Karma
Reply

pateriaak
Explorer
‎05-06-2019 11:12 AM

@lakshman239 - yes I defined new index in local inputs.conf, however there were batch input which required new index definition -

[batch://$SPLUNK_HOME/var/spool/splunk/...stash_ta_scwss_logs.zip]
index = new index

0 Karma
Reply

adobrzeniecki_s
Splunk Employee
Splunk Employee
‎05-03-2019 07:21 AM

The input gets created in the app not the TA

0 Karma
Reply

pateriaak
Explorer
‎05-06-2019 11:15 AM

@adobrzeniecki_splunk yes, when you defined modular input through GUI it gets created in App however I defined through CLI in TA under local/inputs.conf, that worked too!

0 Karma
Reply

NDabhi21
Explorer
‎02-07-2023 05:18 AM

Dear all,

Small doubt for this topic.

If some custom index name given in sourcetype instead of "main" index, whether  Index need to be created by CLI or it created by the index API ?

NDabhi21_0-1675775710871.png

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...