Dashboards & Visualizations
Highlighted

Index name not showing up HTTP Event Collector(HEC) new token creation

New Member

Hi,
For PCF (Pivotal Cloud Foundry). i am using HEC on the heavy forwarder. i have created a new index for these events. while generating the token, Available item(s) for index is showing main, history, summary and default.
it is not showing the index which i have created.

what is that i am missing.

should i leave it default and when PCF connects using the token, it will get updated to the index which i specify in PCF?

thank you

0 Karma
Highlighted

Re: Index name not showing up HTTP Event Collector(HEC) new token creation

SplunkTrust
SplunkTrust

create the index also on the HF so itts name populates to your dropdown
otherwise, manually edit inputs.conf

Highlighted

Re: Index name not showing up HTTP Event Collector(HEC) new token creation

Ultra Champion

Bingo. The definition of the index needs to exist on that HF instance in order for it to display on the dropdowns in the UI. As long as you have the data forwarding (not indexAndForward) from HF to Indexers then the index defined on the HF will only be a definition and contain no data.

0 Karma
Highlighted

Re: Index name not showing up HTTP Event Collector(HEC) new token creation

Loves-to-Learn

Would this apply to a distributed environment? We are having a similar issue trying to generate tokens from the cluster master but only seeing the default indexes as options and not our custom indexes.

0 Karma
Highlighted

Re: Index name not showing up HTTP Event Collector(HEC) new token creation

Ultra Champion

Yea, exactly. The UI itself won't show the indexes on your indexers. I deploy a listing of the indexes to many places for this reason (but make sure no local indexing occurs - just forwarding to indexers).

0 Karma
Highlighted

Re: Index name not showing up HTTP Event Collector(HEC) new token creation

Loves-to-Learn

Okay, thanks.

0 Karma
Highlighted

Re: Index name not showing up HTTP Event Collector(HEC) new token creation

Engager

We are using SplunkCloud. Yesterday Splunk upgraded the version with 7.0.5 and that has fix . Now I can see all the indexes in HEC

0 Karma
Highlighted

Re: Index name not showing up HTTP Event Collector(HEC) new token creation

Loves-to-Learn

We are currently on 7.0.4 in our cert environment. I will see about updating to see if the behavior changes. Thanks.

0 Karma
Highlighted

Re: Index name not showing up HTTP Event Collector(HEC) new token creation

Engager

I have the same issue. We are using Splunk Intermediate forwarder through AWS. I am seeing indexes and the index what I need is not there.

0 Karma