Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Logs defaulting into _internal

u2s1e0n2
New Member
‎06-20-2017 11:48 PM

I changed the Index I am sending logs to and then reloaded the server-class but my logs are ending up in _internal not the new index. What could I be doing wrong and how do I get my logs to show in the right Index?

Tags (1)
0 Karma
Reply

u2s1e0n2
New Member
‎06-21-2017 10:27 AM

Thanks for the reponse. I had an app with index= abc indexing data. But I had to transfer the app to a PCI complaint index =abc_sec. I made changes to the the inputs.conf substituting index=abc with index =abc_sec.
Reloaded the serverclass and then the logs are showing up in _internal.

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎06-20-2017 11:58 PM

How did you change the index? What do your inputs look like for the data you are collecting? 

index = mytargetindex

That should be on your file inputs, unless you are redirecting these at index time?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-20-2017 11:58 PM

Hi u2s1e0n2,
could you share more information? which logs are you speking about?
if you're speking about splunkd, metrics, etc... you have to copy $SPLUNK_HOME/etc/system/default/inputs.conf in $SPLUNK_HOME/etc/system/local/inputs.conf and then modify index option in the related stanzas.
Anyway, why do you want to change the destination index of Splunk Internal logs? it isn't a good idea and not aligned with Splunk best practices!

Bye.
Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...