Getting Data In

Index changes after Device IP changed and hardware refreshed

splunk_newbie3
Loves-to-Learn Everything

Hi Community,

 

One of the log source (e.g. index=my_index) at my company's splunk became inter=main. After multiple investigation, i found that Infrastructure Team has refreshed the device to a new hardware due to product EOL (same brand, same product, e.g. Palo Alto 3020 to PA3220). Also, the device IP is changed.

Thus, i have modified the monitoring path at inputs.conf in Add-on and distribute to HF by deployment server.

 

Here is the example for what i modified:

 

[monitor:///siem/data/syslog/192.168.1.101/*] #original ip was 192.168.1.100 

disabled = false 

index = my_index

sourcetype = my:sourcetype

host_segment = 4

 

After such changes, i tried to verify the result on HF, the inputs.conf was successfully update to the new version. 

 

However, the logs remain to index=main when searching on Search Head after the changes i did above.

 

Anyone know if any other thing i need to modify? Or else there are other root cause that making the logs fall under wrong index apart from the ip changes?

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

your changes apply only to new events not to those which are already indexed.

r. Ismo

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...

span_metrics: The OpenTelemetry-Idiomatic Way to See Inside Your Services

You open a trace in Splunk Observability Cloud and everything looks fine. One root span, order-pipeline, with ...