For PCF (Pivotal Cloud Foundry). i am using HEC on the heavy forwarder. i have created a new index for these events. while generating the token, Available item(s) for index is showing main, history, summary and default.
it is not showing the index which i have created.
what is that i am missing.
should i leave it default and when PCF connects using the token, it will get updated to the index which i specify in PCF?
create the index also on the HF so itts name populates to your dropdown
otherwise, manually edit inputs.conf
Bingo. The definition of the index needs to exist on that HF instance in order for it to display on the dropdowns in the UI. As long as you have the data forwarding (not indexAndForward) from HF to Indexers then the index defined on the HF will only be a definition and contain no data.
Would this apply to a distributed environment? We are having a similar issue trying to generate tokens from the cluster master but only seeing the default indexes as options and not our custom indexes.
Yea, exactly. The UI itself won't show the indexes on your indexers. I deploy a listing of the indexes to many places for this reason (but make sure no local indexing occurs - just forwarding to indexers).
We are using SplunkCloud. Yesterday Splunk upgraded the version with 7.0.5 and that has fix . Now I can see all the indexes in HEC
We are currently on 7.0.4 in our cert environment. I will see about updating to see if the behavior changes. Thanks.
I have the same issue. We are using Splunk Intermediate forwarder through AWS. I am seeing indexes and the index what I need is not there.