Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Index changes after Device IP changed and hardware refreshed

splunk_newbie3
Loves-to-Learn Everything
‎10-18-2023 09:27 PM

Hi Community,

 

One of the log source (e.g. index=my_index) at my company's splunk became inter=main. After multiple investigation, i found that Infrastructure Team has refreshed the device to a new hardware due to product EOL (same brand, same product, e.g. Palo Alto 3020 to PA3220). Also, the device IP is changed.

Thus, i have modified the monitoring path at inputs.conf in Add-on and distribute to HF by deployment server.

 

Here is the example for what i modified:

 

[monitor:///siem/data/syslog/192.168.1.101/*] #original ip was 192.168.1.100 

disabled = false 

index = my_index

sourcetype = my:sourcetype

host_segment = 4

 

After such changes, i tried to verify the result on HF, the inputs.conf was successfully update to the new version. 

 

However, the logs remain to index=main when searching on Search Head after the changes i did above.

 

Anyone know if any other thing i need to modify? Or else there are other root cause that making the logs fall under wrong index apart from the ip changes?

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-18-2023 11:16 PM

Hi

your changes apply only to new events not to those which are already indexed.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...