All Apps and Add-ons

SRX Indexing

mad4wknds
Path Finder

I am able to see srx_logs in a new index "SRX" but I want it to go to the "main" index. I can not see SRX logs in the search app when changing Splunk>etc>System>local>Inputs.conf>[UDP://514] index=main

BTW:I can see other source types in the "main" index.

Tags (1)
0 Karma

sbrant_splunk
Splunk Employee
Splunk Employee

One possibility is that there is a transforms.conf being utilized that is forcing an index name. Are you using a Juniper app to view the data? This is probably the case if there happens to be an SRX index that you did not create.

There is also a possibility that the date/time extraction is not happening properly, or the timezone is not set properly. If that is the case and you're looking over a relative time period (say back 15 minutes) or even all-time, your search may not return the events showing up from the SRX. When running your search, select real-time -> All Time (real-time) on the time picker. This should show events coming in (if they actually are coming in) regardless of whether or not they have a future time set.

mad4wknds
Path Finder

I found the answer to my problem. I had never used the btool before. I analyzed the "default" props.conf file. and found some extra configs there.

OK I know not to modify default files. I just inherited this environment. Thanks for the suggestion.

0 Karma

sbrant_splunk
Splunk Employee
Splunk Employee

Splunk would not put the data in an index you created unless it's directed to. You can run btool to look at your active configuration and that may lead you to the answer:

splunk cmd btool inputs list --debug

http://docs.splunk.com/Documentation/Splunk/6.0.1/Troubleshooting/Usebtooltotroubleshootconfiguratio...

mad4wknds
Path Finder

I created the "SRX" index as a test to see if I could get any firewall data in the search app at all. I have the SRX app but I have to get it into the search app first. I have tried changing the index to "main" and "summary" neither of them work. No local Transforms.conf defined. And Date/Time extractions is not the issue.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...