Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SC4S: parsing_err="Incorrect index, index='main'"

pepitogrillospl
Loves-to-Learn Lots
‎12-29-2023 03:55 AM

Hi all,

I've setup am SC4S just to forward nix:syslog events.

In local/context/splunk_metadata.csv:

nix_syslog,index,the_index
nix_syslog,sourcetype,nix:syslog

Cant find the events inSplunk and splunkd.log is filling with:

12-29-2023 09:52:50.993 +0000 ERROR HttpInputDataHandler [2140 HttpDedicatedIoThread-0] - Failed processing http input, token name=the_token, channel=n/a, source_IP=172.18.0.1, reply=7, events_processed=1, http_input_body_size=1091, parsing_err="Incorrect index, index='main'"

The HEC probes at sc4s boot are successful and inserted in the correct index.

Any help would be really appreciated.

Thank you

Daniel

Labels (1)
Labels
0 Karma
Reply

pepitogrillospl
Loves-to-Learn Lots
‎03-21-2024 12:56 AM

Hi,

If I recall correctly at HEC token creation do not select any index , use  local/context/splunk_metadata.csv for that. I think that fixed it.

Daniel

0 Karma
Reply

GetAGrip1011
New Member
‎03-21-2024 10:14 AM

That makes sense.  Thank you for replying.  Do you have an example splunk_metadata.csv file?  The Splunk documentation mentions separating items by vendor/type, but they do not mention where to find those. 

 

0 Karma
Reply

GetAGrip1011
New Member
‎03-20-2024 08:05 AM

Did you ever figure out a solution to this?  Running into the same problem.  Seems that there is an issue with where the HEC key points, and the actual index that gets populated. 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...