Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Data is moved to index=main

psriyanka
Explorer
‎12-04-2019 03:06 AM

In my environment, I have installed an application but instead of getting the data to a particular index which is assigned and created for that particular application in splunk, its forwarding the data to index=main.

Have someone faced this issue, then pls suggest what needs to be done so that the data can be moved to the right index.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎12-04-2019 06:32 AM

the reason for it is that you did not specify the index on your inputs.conf file
the default index when the index parameter is not set, is: main
setup inputs.conf correctly and enjoy the data in the right index

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎12-04-2019 06:32 AM

the reason for it is that you did not specify the index on your inputs.conf file
the default index when the index parameter is not set, is: main
setup inputs.conf correctly and enjoy the data in the right index

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-04-2019 05:04 AM

Hi @psriyanka,
could you share any additional info?
how do you get the data: universal forwarder, syslog or what else?
which data are you speaking of?
could you share the inputs.conf that you're using?
what's your architecture, have you Heavy Forwarders?

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

psriyanka
Explorer
‎12-06-2019 02:31 AM

Its a distributed environment, I have installed Azure Monitor Add-on for Splunk on Search Head and configured the input under setting in the splunk UI and the problem is that the data is not completely shown and the data is going to index=main, whereas I have configured the index=monitorazure to this particular application.

Have set up the Azure Monitor Add-on for Splunk to get data for the below
input for Activity Logs
input for Diagnostics Logs
input for Metrics

splunk 86420 0 0.0 00:00:00 0.0 2788 113148 ? S 00:01 bash /opt/splunk/etc/apps/AzureMonitorAddonForSplunk-master/bin/azure_diagnostic_logs.sh
CPUTIME = 00:00:00PercentProcessorTime = 0.0eventtype = ps os oshost performance process ps report successhost = ip-10-20-201-222index = mainlinecount = 1process_cpu_used_percent = 0.0process_name = bashpunct = __________________________________________________source = pssourcetype = pssplunk_server = ip-XXXXXXXXXXX splunk_server_group = dmc_group_indexertag = os tag = oshost tag = performance tag = process tag = ps tag = report tag = success

splunk 84594 3 0.0 00:00:00 0.0 3104 115272 ? S 00:01 bash /opt/splunk/etc/apps/AzureMonitorAddonForSplunk-master/bin/azure_activity_log.sh
CPUTIME = 00:00:00PercentProcessorTime = 0.0eventtype = ps os oshost performance process ps report successhost = ip-10-20-201-164index = mainlinecount = 1process_cpu_used_percent = 0.0process_name = bashpunct = __________________________________________________source = pssourcetype = pssplunk_server = ip-XXXXXXXXXXXsplunk_server_group = dmc_group_indexertag = os tag = oshost tag = performance tag = process tag = ps tag = report tag = success

splunk 84663 2 0.0 00:00:00 0.0 15836 133984 ? R 00:00 python2.7 /opt/splunk/etc/apps/AzureMonitorAddonForSplunk-master/bin/azure_monitor_metrics.py
CPUTIME = 00:00:00PercentProcessorTime = 0.0eventtype = ps os oshost performance process ps report successhost = ip-10-20-201-164index = mainlinecount = 1process_cpu_used_percent = 0.0process_name = python2.7punct = __________________________________________________source = pssourcetype = pssplunk_server = ip-XXXXXXXXXXXsplunk_server_group = dmc_group_indexertag = os tag = oshost tag = performance tag = process tag = ps tag = report tag = success

INPUT.CONF File:

[http://hhh]
disabled = 0
index = monitorazure
indexes = monitorazure
token = XXXX

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...