- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- My logs are going into the wrong Index
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My logs are going into the wrong Index
It was reported to me that data from one of our devices is showing up in the wrong index. Is there an easy way to fix this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you mean by fix this? Ensure future logs from that device go into the correct index? Or move the data that ended up in the wrong index, to the correct one?
What index did it go in to and what index should it have gone in to? What is the configuration you have for this input?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I mean fix this by get the data that is filtering into the wrong into the correct index. And also ensure future logs of this type filter into the correct index.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the data routed through a syslog server or is it going to a network port open directly on Splunk? Can you share your inputs.conf stanza for your Bluecoat data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a really broad question. What is the data source? Is it coming from a Universal Forwarder? Syslog? API pull?
If it is a UF, is it collected with a TA or is it via custom inputs?
Assuming it is a file being monitored by a UF with an inputs.conf, then just adjust the index there. Set index=new index
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The data source is Bluecoat Proxy logs using syslog.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it going, by any chance, to the main index?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it is not
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As mentioned in my previous comment: can you please provide some proper context on the issue? What configs do you have, what index does it go to, what index should it go to. You'll need to figure out the cause of the issue before anyone can tell you how to fix it.
As for moving the already misplaced data to the correct index: there is no simple method for that. You could export the respective raw events and then re-ingest them to the correct index. And once confirmed that they are ok, delete them from the old index.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok thank you
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
