Index changes after Device IP changed and hardware...

splunk_newbie3 · ‎10-18-2023

Hi Community,

One of the log source (e.g. index=my_index) at my company's splunk became inter=main. After multiple investigation, i found that Infrastructure Team has refreshed the device to a new hardware due to product EOL (same brand, same product, e.g. Palo Alto 3020 to PA3220). Also, the device IP is changed.

Thus, i have modified the monitoring path at inputs.conf in Add-on and distribute to HF by deployment server.

Here is the example for what i modified:

[monitor:///siem/data/syslog/192.168.1.101/*] #original ip was 192.168.1.100

disabled = false

index = my_index

sourcetype = my:sourcetype

host_segment = 4

After such changes, i tried to verify the result on HF, the inputs.conf was successfully update to the new version.

However, the logs remain to index=main when searching on Search Head after the changes i did above.

Anyone know if any other thing i need to modify? Or else there are other root cause that making the logs fall under wrong index apart from the ip changes?

isoutamo · ‎10-18-2023

Hi

your changes apply only to new events not to those which are already indexed.

r. Ismo

Index changes after Device IP changed and hardware refreshed

field extraction

heavy forwarder

index

inputs.conf

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?