Re: Splunk Add-on for Amazon Web Services: Why are...

cwyse · ‎12-07-2015

We started collecting VPC flow logs at some point. But it started writing them to /opt/splunk/var/lib/splunk/$INDEXNAME instead of the /EBS/$INDEXNAME which is where the actual index I wanted to write was. This is only datamodel_summary info. When switched to default or main we see the same thing. It writes to the local / directory instead of EBS. Anyone know how to change this? So we decided to remove the vpc_flow information all together, but somehow it keeps coming in. I'm not sure how it's getting the info, how to make it stop, or how to make it at least go to the right place. Any ideas?

jeffland · ‎12-08-2015

It should work like this: in your inputs.conf, you define which index the data is sent to. In indexes.conf, you define where an input is located on disk.

Did you set up any of these .conf files by hand, or are you using them as they came with the app? I must admit I don't know what the standard settings are, but you should probably check the app and see a) which index your data is routed to and b) where that index is located, and change those settings accordingly.

Splunk Add-on for Amazon Web Services: Why are VPC Flow logs writing to local index and not our storage based index?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation