- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, if you are using _TCP_ROUTING and index rename on target platform, logs may go to "last chance index"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In this case review inputs.conf sourcetype and change it if you use default pretrained :
https://docs.splunk.com/Documentation/Splunk/9.3.0/Data/Listofpretrainedsourcetypes
"The source types marked with an asterisk ( * ) use the INDEXED_EXTRACTIONS attribute, which sets other attributes in props.conf to specific defaults and requires special handling to forward to another Splunk platform instance. See Forward fields extracted from structured data files."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In this case review inputs.conf sourcetype and change it if you use default pretrained :
https://docs.splunk.com/Documentation/Splunk/9.3.0/Data/Listofpretrainedsourcetypes
"The source types marked with an asterisk ( * ) use the INDEXED_EXTRACTIONS attribute, which sets other attributes in props.conf to specific defaults and requires special handling to forward to another Splunk platform instance. See Forward fields extracted from structured data files."
