Re: SC4S and indexes

njusticesnb · ‎01-06-2022

Hello,

I have a SC4S server setup receiving info from our Network UPS. I have created a new index for any date to do with our UPS in Splunk. I went into the SC4S server and modified the compliance_meta_by_source.conf and compliance_meta_by_source.csv files. When I add the entry for the new index the info stops coming to our Splunk environment. If I remove it it starts coming over again. What am I doing wrong. If I leave the .splunk.index portion out the info goes over with the new source type and also creates the new field in splunk, but as soon as I add the index part the info stops going over. Below is the info that I have put in both files.

compliance_meta_by_source.conf

filter f_powerware_ups {
host("my ups IP address" type(glob))
};

compliance_meta_by_source.csv

f_powerware_ups,.splunk.sourcetype,"powerware_ups"
f_powerware_ups,fields.vendor,"Eaton"
f_powerware_ups,.splunk.index,"netups"

blbr123 · ‎06-01-2022

Is the index mentioned in the HEC configuration?

SC4S and indexes

index

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

Join the Conversation