SC4S and indexes

njusticesnb · ‎01-06-2022

Hello,

I have a SC4S server setup receiving info from our Network UPS. I have created a new index for any date to do with our UPS in Splunk. I went into the SC4S server and modified the compliance_meta_by_source.conf and compliance_meta_by_source.csv files. When I add the entry for the new index the info stops coming to our Splunk environment. If I remove it it starts coming over again. What am I doing wrong. If I leave the .splunk.index portion out the info goes over with the new source type and also creates the new field in splunk, but as soon as I add the index part the info stops going over. Below is the info that I have put in both files.

compliance_meta_by_source.conf

filter f_powerware_ups {
host("my ups IP address" type(glob))
};

compliance_meta_by_source.csv

f_powerware_ups,.splunk.sourcetype,"powerware_ups"
f_powerware_ups,fields.vendor,"Eaton"
f_powerware_ups,.splunk.index,"netups"

blbr123 · ‎06-01-2022

Is the index mentioned in the HEC configuration?

SC4S and indexes

index

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

New Year. New Skills. New Course Releases from Splunk Education

Join the Conversation

SC4S and indexes

index

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

New Year. New Skills. New Course Releases from Splunk Education