Getting Data In

Data is moved to index=main

psriyanka
Explorer

In my environment, I have installed an application but instead of getting the data to a particular index which is assigned and created for that particular application in splunk, its forwarding the data to index=main.

Have someone faced this issue, then pls suggest what needs to be done so that the data can be moved to the right index.

0 Karma
1 Solution

adonio
SplunkTrust
SplunkTrust

the reason for it is that you did not specify the index on your inputs.conf file
the default index when the index parameter is not set, is: main
setup inputs.conf correctly and enjoy the data in the right index

View solution in original post

0 Karma

adonio
SplunkTrust
SplunkTrust

the reason for it is that you did not specify the index on your inputs.conf file
the default index when the index parameter is not set, is: main
setup inputs.conf correctly and enjoy the data in the right index

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @psriyanka,
could you share any additional info?
how do you get the data: universal forwarder, syslog or what else?
which data are you speaking of?
could you share the inputs.conf that you're using?
what's your architecture, have you Heavy Forwarders?

Ciao.
Giuseppe

0 Karma

psriyanka
Explorer

Its a distributed environment, I have installed Azure Monitor Add-on for Splunk on Search Head and configured the input under setting in the splunk UI and the problem is that the data is not completely shown and the data is going to index=main, whereas I have configured the index=monitorazure to this particular application.

Have set up the Azure Monitor Add-on for Splunk to get data for the below
input for Activity Logs
input for Diagnostics Logs
input for Metrics

splunk 86420 0 0.0 00:00:00 0.0 2788 113148 ? S 00:01 bash /opt/splunk/etc/apps/AzureMonitorAddonForSplunk-master/bin/azure_diagnostic_logs.sh
CPUTIME = 00:00:00PercentProcessorTime = 0.0eventtype = ps os oshost performance process ps report successhost = ip-10-20-201-222index = mainlinecount = 1process_cpu_used_percent = 0.0process_name = bashpunct = __________________________________________________source = pssourcetype = pssplunk_server = ip-XXXXXXXXXXX splunk_server_group = dmc_group_indexertag = os tag = oshost tag = performance tag = process tag = ps tag = report tag = success

splunk 84594 3 0.0 00:00:00 0.0 3104 115272 ? S 00:01 bash /opt/splunk/etc/apps/AzureMonitorAddonForSplunk-master/bin/azure_activity_log.sh
CPUTIME = 00:00:00PercentProcessorTime = 0.0eventtype = ps os oshost performance process ps report successhost = ip-10-20-201-164index = mainlinecount = 1process_cpu_used_percent = 0.0process_name = bashpunct = __________________________________________________source = pssourcetype = pssplunk_server = ip-XXXXXXXXXXXsplunk_server_group = dmc_group_indexertag = os tag = oshost tag = performance tag = process tag = ps tag = report tag = success

splunk 84663 2 0.0 00:00:00 0.0 15836 133984 ? R 00:00 python2.7 /opt/splunk/etc/apps/AzureMonitorAddonForSplunk-master/bin/azure_monitor_metrics.py
CPUTIME = 00:00:00PercentProcessorTime = 0.0eventtype = ps os oshost performance process ps report successhost = ip-10-20-201-164index = mainlinecount = 1process_cpu_used_percent = 0.0process_name = python2.7punct = __________________________________________________source = pssourcetype = pssplunk_server = ip-XXXXXXXXXXXsplunk_server_group = dmc_group_indexertag = os tag = oshost tag = performance tag = process tag = ps tag = report tag = success

INPUT.CONF File:

[http://hhh]
disabled = 0
index = monitorazure
indexes = monitorazure
token = XXXX

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!