All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to change the Azure Monitor (TA-Azure_Monitor) index from default "main" on a heavy forwarder?

Log_wrangler
Builder
‎07-30-2018 08:45 AM

I am having a bit of trouble changing the index = main to index =azure_data.

I installed the TA on a heavy forwarder.
In /opt/splunk/etc/apps/TA-Azure_Monitor/default I see inputs.conf, 

[azure_activity_log]
index=main
interval=60
sourcetype=amal:activityLog

I made a copy of inputs.conf to /opt/splunk/etc/apps/TA-Azure_Monitor/local

and modified it to 

[azure_activity_log]
index=azure_data
interval=60
sourcetype=amal:activityLog

Then I did a restart... no errors seen on restart or with btool. But no data rolls into the new index = azure_data

The index azure_data was previously created on the indexer, and I have other data from Splunk_TA_microsoft-cloudservices currently rolling into it no problem.

Please advise.

Thank you

0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎08-09-2018 09:39 AM

Is the individual instance input in your inputs.conf overriding the global parameter?

For example, the following in inputs.conf will still send data to the main index:

[azure_activity_log]
index=azure_data
interval=60
sourcetype=amal:activityLog

[azure_activity_log://Azure Monitor Activity Log]
SPNApplicationId = ********
SPNApplicationKey = ********
SPNTenantID = 123456
eventHubNamespace = eh123456
index = main
interval = 60
secretName = 123456
secretVersion = 123456
sourcetype = amal:activityLog
vaultName = kv123456
disabled = 0
0 Karma
Reply

adonio
Ultra Champion
‎07-30-2018 06:09 PM

did you see event from that sourcetype in the main index?
any errors in _internal index?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...