All Apps and Add-ons

SRX Indexing

mad4wknds
Path Finder

I am able to see srx_logs in a new index "SRX" but I want it to go to the "main" index. I can not see SRX logs in the search app when changing Splunk>etc>System>local>Inputs.conf>[UDP://514] index=main

BTW:I can see other source types in the "main" index.

Tags (1)
0 Karma

sbrant_splunk
Splunk Employee
Splunk Employee

One possibility is that there is a transforms.conf being utilized that is forcing an index name. Are you using a Juniper app to view the data? This is probably the case if there happens to be an SRX index that you did not create.

There is also a possibility that the date/time extraction is not happening properly, or the timezone is not set properly. If that is the case and you're looking over a relative time period (say back 15 minutes) or even all-time, your search may not return the events showing up from the SRX. When running your search, select real-time -> All Time (real-time) on the time picker. This should show events coming in (if they actually are coming in) regardless of whether or not they have a future time set.

mad4wknds
Path Finder

I found the answer to my problem. I had never used the btool before. I analyzed the "default" props.conf file. and found some extra configs there.

OK I know not to modify default files. I just inherited this environment. Thanks for the suggestion.

0 Karma

sbrant_splunk
Splunk Employee
Splunk Employee

Splunk would not put the data in an index you created unless it's directed to. You can run btool to look at your active configuration and that may lead you to the answer:

splunk cmd btool inputs list --debug

http://docs.splunk.com/Documentation/Splunk/6.0.1/Troubleshooting/Usebtooltotroubleshootconfiguratio...

mad4wknds
Path Finder

I created the "SRX" index as a test to see if I could get any firewall data in the search app at all. I have the SRX app but I have to get it into the search app first. I have tried changing the index to "main" and "summary" neither of them work. No local Transforms.conf defined. And Date/Time extractions is not the issue.

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...