Re: Index changes after Device IP changed and hard...

splunk_newbie3 · ‎10-18-2023

Hi Community,

One of the log source (e.g. index=my_index) at my company's splunk became inter=main. After multiple investigation, i found that Infrastructure Team has refreshed the device to a new hardware due to product EOL (same brand, same product, e.g. Palo Alto 3020 to PA3220). Also, the device IP is changed.

Thus, i have modified the monitoring path at inputs.conf in Add-on and distribute to HF by deployment server.

Here is the example for what i modified:

[monitor:///siem/data/syslog/192.168.1.101/*] #original ip was 192.168.1.100

disabled = false

index = my_index

sourcetype = my:sourcetype

host_segment = 4

After such changes, i tried to verify the result on HF, the inputs.conf was successfully update to the new version.

However, the logs remain to index=main when searching on Search Head after the changes i did above.

Anyone know if any other thing i need to modify? Or else there are other root cause that making the logs fall under wrong index apart from the ip changes?

isoutamo · ‎10-18-2023

Hi

your changes apply only to new events not to those which are already indexed.

r. Ismo

Index changes after Device IP changed and hardware refreshed

field extraction

heavy forwarder

index

inputs.conf

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Join the Conversation