Index changes after Device IP changed and hardware...

splunk_newbie3 · ‎10-18-2023

Hi Community,

One of the log source (e.g. index=my_index) at my company's splunk became inter=main. After multiple investigation, i found that Infrastructure Team has refreshed the device to a new hardware due to product EOL (same brand, same product, e.g. Palo Alto 3020 to PA3220). Also, the device IP is changed.

Thus, i have modified the monitoring path at inputs.conf in Add-on and distribute to HF by deployment server.

Here is the example for what i modified:

[monitor:///siem/data/syslog/192.168.1.101/*] #original ip was 192.168.1.100

disabled = false

index = my_index

sourcetype = my:sourcetype

host_segment = 4

After such changes, i tried to verify the result on HF, the inputs.conf was successfully update to the new version.

However, the logs remain to index=main when searching on Search Head after the changes i did above.

Anyone know if any other thing i need to modify? Or else there are other root cause that making the logs fall under wrong index apart from the ip changes?

isoutamo · ‎10-18-2023

Hi

your changes apply only to new events not to those which are already indexed.

r. Ismo

Index changes after Device IP changed and hardware refreshed

field extraction

heavy forwarder

index

inputs.conf

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Join the Conversation