All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

For Symantec Web Security Service App for Splunk and TA: Why are events getting indexed in "main" index only?

pateriaak
Explorer
‎05-02-2019 11:18 AM

TA-SymantecWebSecurityService pulls data from Symantec Web Security Service via REST endpoint. I installed Symantec Web Security Service App for Splunk and TA, events are indexing in "main" index only. I defined separate index for this App and referenced in input.conf. Still can not figure out why events are indexing in main index. Any lead will be helpful. Thank you!

Labels (1)
0 Karma
Reply

nkpiquette
Path Finder
‎10-28-2019 12:34 PM

@scottprigge posted this answer in his linked thread, but I wanted to post the text here for those coming in from Google:

Thank you for this post! I didn't even give those batch inputs a second thought when I first saw them. We struggled with this same issue and once I read your post, I immediately understood what the issue was and how to fix it.

For anyone else who might read this, the TA works in two steps:
1) The 'scwss-poll' modular input of inputs.conf pulls down an access log from the internet-based web service and drops it on the Splunk filesystem in the '/opt/splunk/var/spool/splunk/' directory.
2) The batch inputs of inputs.conf index the files.

So if you want to change the index name, you need to add the custom 'index = ' parameter to the batch input, since that is the input that indexes the events.

Thanks again!

Reply

_smp_
Builder
‎05-06-2019 10:16 AM

The answer to this question lies in another post on this topic. See https://answers.splunk.com/answers/735808/allowed-customisation-of-target-index-is-not-used.html

0 Karma
Reply

pateriaak
Explorer
‎05-06-2019 11:16 AM

@scottprigge - thanks!

0 Karma
Reply

lakshman239
Influencer
‎05-03-2019 03:41 AM

Have you defined the local/inputs.conf with new index on the TA? [ data collection point]? You can also run the splunk btool to check if your inputs.conf if picked up/precedence.

0 Karma
Reply

pateriaak
Explorer
‎05-06-2019 11:12 AM

@lakshman239 - yes I defined new index in local inputs.conf, however there were batch input which required new index definition -

[batch://$SPLUNK_HOME/var/spool/splunk/...stash_ta_scwss_logs.zip]
index = new index

0 Karma
Reply

adobrzeniecki_s
Splunk Employee
Splunk Employee
‎05-03-2019 07:21 AM

The input gets created in the app not the TA

0 Karma
Reply

pateriaak
Explorer
‎05-06-2019 11:15 AM

@adobrzeniecki_splunk yes, when you defined modular input through GUI it gets created in App however I defined through CLI in TA under local/inputs.conf, that worked too!

0 Karma
Reply

NDabhi21
Explorer
‎02-07-2023 05:18 AM

Dear all,

Small doubt for this topic.

If some custom index name given in sourcetype instead of "main" index, whether  Index need to be created by CLI or it created by the index API ?

NDabhi21_0-1675775710871.png

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...