Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Index changes after Device IP changed and hardware refreshed

splunk_newbie3
Loves-to-Learn Everything
‎10-18-2023 09:27 PM

Hi Community,

 

One of the log source (e.g. index=my_index) at my company's splunk became inter=main. After multiple investigation, i found that Infrastructure Team has refreshed the device to a new hardware due to product EOL (same brand, same product, e.g. Palo Alto 3020 to PA3220). Also, the device IP is changed.

Thus, i have modified the monitoring path at inputs.conf in Add-on and distribute to HF by deployment server.

 

Here is the example for what i modified:

 

[monitor:///siem/data/syslog/192.168.1.101/*] #original ip was 192.168.1.100 

disabled = false 

index = my_index

sourcetype = my:sourcetype

host_segment = 4

 

After such changes, i tried to verify the result on HF, the inputs.conf was successfully update to the new version. 

 

However, the logs remain to index=main when searching on Search Head after the changes i did above.

 

Anyone know if any other thing i need to modify? Or else there are other root cause that making the logs fall under wrong index apart from the ip changes?

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-18-2023 11:16 PM

Hi

your changes apply only to new events not to those which are already indexed.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...