Re: Logs defaulting into _internal

u2s1e0n2 · ‎06-20-2017

I changed the Index I am sending logs to and then reloaded the server-class but my logs are ending up in _internal not the new index. What could I be doing wrong and how do I get my logs to show in the right Index?

u2s1e0n2 · ‎06-21-2017

Thanks for the reponse. I had an app with index= abc indexing data. But I had to transfer the app to a PCI complaint index =abc_sec. I made changes to the the inputs.conf substituting index=abc with index =abc_sec.
Reloaded the serverclass and then the logs are showing up in _internal.

esix_splunk · ‎06-20-2017

How did you change the index? What do your inputs look like for the data you are collecting?

index = mytargetindex

That should be on your file inputs, unless you are redirecting these at index time?

gcusello · ‎06-20-2017

Hi u2s1e0n2,
could you share more information? which logs are you speking about?
if you're speking about splunkd, metrics, etc... you have to copy $SPLUNK_HOME/etc/system/default/inputs.conf in $SPLUNK_HOME/etc/system/local/inputs.conf and then modify index option in the related stanzas.
Anyway, why do you want to change the destination index of Splunk Internal logs? it isn't a good idea and not aligned with Splunk best practices!

Bye.
Giuseppe

Logs defaulting into _internal

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation

Logs defaulting into _internal

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience