Hi all,

I'm trying to configure a tcpinput endpoint configuration in a way which makes me able to route incoming traffic in a few indexes.

I'm trying to use tokens to do this.

From Splunk web gui I can see that is possible to bind an HEC token to a certain index.

It seems I'm not able to do the same with the TCP tokens.

I've been following this documentation to define my token:

https://docs.splunk.com/Documentation/Forwarder/8.0.5/Forwarder/Controlforwarderaccess

and then defining this on my indexer instance's inputs.conf file:

[splunktcp://9997]
disabled = 0
index = minikube_on_hs9

[splunktcptoken://my_token]
disabled = 0
index = minikube_on_hs9
token = $7$qlaEJcxHynjqXZHqCddO61xXxB/FUh/aooVPVFvjBEde9OnUZPx6Oz/Te8ye0lJKR/3tkNuCXjK8ccPLsKARgNAIkSg=

after a restart of Splunk, the status of the token was as the one showed in the attached screenshot.

At the moment of creation, the token seemed associated to the default index, though.

On my test client, in the outputs.conf file, I have something like this:

[tcpout]
defaultGroup = tcpin-sre-tools

token = $7$2ygFLiflfLjPs/n/jXxuOBI/aSgTK/Hwf+IcSSMkAtt6V+ATWCbOm4+95VpVPag05bco0qjlMuEckfcxtZDBa7h1fu0=

[tcpout:tcpin-sre-tools]

server = my_server_name:9997

No error related to token missing or mismatch, but still unable to address logs from my client into the specified index on the Splunk side. The logs get injected in the main index.

Any idea how to fix this?

Best regards,

Giuseppe