Solved: Index main

juls0125 · ‎01-08-2020

Hello Splunkers!

I have a question, i have installed a universal forwarder on a AIX server, but all the logs arrives on the index "main", they should be arrive in one especific index that i created. How can i fix this issue and why is this happening?

richgalloway · ‎01-08-2020

Check the inputs.conf file(s) on the forwarder to confirm an index is specified for each input.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎01-08-2020

Check the inputs.conf file(s) on the forwarder to confirm an index is specified for each input.

---
If this reply helps you, Karma would be appreciated.

juls0125 · ‎01-08-2020

i have added the next information on the inputs.conf file without any change (informix is the index)

[monitor://$SPLUNK_HOME/audit]
index = informix

richgalloway · ‎01-10-2020

Did you restart Splunk after making the change?

---
If this reply helps you, Karma would be appreciated.

Index main

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?