Getting Data In

Why my data go in the wrong Index ?

altink
Builder

I have configured Windows logs input to a certain index Index_test_03, but very few data - tens - go there. Most of them - thousands - go to the Main Index, something I have not configured !

I also noticed that the index I create go for App=Launcher, not Search ! The indexes I have created before are of App=Search. I have not changed anything for this to happen

can you advise

regards
Altin

Tags (1)
0 Karma

altink
Builder

I have a Windows 2003 box which in Settings/Add Data/Forward has been mapped to "index_test_01". I also have a Windows 2008 box which in the same is mapped to "index_test_03".

I have done no configuration in the Universal Forwarders - except Splunk server IP and two ports, the latest during install.

"index_test_01" of Win 2003 is populated, while "index_test_03" of Win 2008 gets very few data, most goes to index main.

Same config on universal forwards, same config on server - results are different.

Can anyone help ?

regards
Altin

0 Karma

woodcock
Esteemed Legend

There are 4 possibilities:

1: Inside your new inputs.conf you left index=Index_test_03 out of one of your stanzas.
2: You have a precedence problem where your configurations are not being used because there are configurations with index=main somewhere else. The most likely place is in the learned app so check there. Also make sure that your configurations are inside your app (not $SPLUNK_HOME/etc/system/*/inputs.conf), such as $SPLUNK_HOME/etc/apps/myapp/default/inputs.conf.
3: You have the correct configuration files but you have not deployed them to ALL of your forwarders.
4: You have done everything else correctly but you have not restarted the Splunk instance on all of your forwarders (which must be done after every change to inputs.conf that you make while debugging this).

In any case, you should be able to sort through this by using btool on your forwarders to list out your inputs.conf like this:

$SPLUNK_HOME/bin/splunk cmd btool inputs list --debug

altink
Builder

I have configured the respective in each Universal Forwarder and the data goes to the right index.
Thank you everyone for the support

regards
Altin

0 Karma

woodcock
Esteemed Legend

Please click "Accept" on the answer that most lead you to your solution..

0 Karma

koshyk
Super Champion

could you please update your "inputs.conf" and "props.conf" in your question, so we can see how individual events are parsed?

0 Karma

muebel
SplunkTrust
SplunkTrust

I'd verify your universal forwarder configuration. For the windows event logs you are specifying in inputs.conf, you should have an "index=Index_test_03" configuration set.

The main index is the default, and if you have events showing up there it means, for those inputs, they don't have any other index specified.

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

How are you collecting the information? Make sure that however you define the input for the Windows logs that you specify the index in the inputs.conf file, otherwise they will go to "main".

0 Karma

altink
Builder

ps. I am using Universal Forwarders installed locally on windows servers to retrieve log data

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Please use the commenting feature, instead of answering the question.

Verify that your indexes are set on the inputs.

Open an Administrative Command Prompt, and type this:

"C:\Program Files\Splunk\bin\splunk.exe cmd btool inputs list WinEventLog --debug "

Make sure that all of the Inputs have the correct index definition defined.

0 Karma

altink
Builder

The problem is that most of them go to Main Index, while very few go to what I would be expecting - ie my index.
Shouldn't they go all to only one index ? why they are split ?

thanks
Altin

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...