Getting Data In

Solution : index renaming not working when using _TCP_ROUTING

splunkreal
Motivator

Hello, if you are using _TCP_ROUTING and index rename on target platform, logs may go to "last chance index" 

 

 

 

* If this helps, please upvote or accept solution if it solved *
0 Karma
1 Solution

splunkreal
Motivator

In this case review inputs.conf sourcetype and change it if you use default pretrained :

 

https://docs.splunk.com/Documentation/Splunk/9.3.0/Data/Listofpretrainedsourcetypes

 

"The source types marked with an asterisk ( * ) use the INDEXED_EXTRACTIONS attribute, which sets other attributes in props.conf to specific defaults and requires special handling to forward to another Splunk platform instance. See Forward fields extracted from structured data files."

* If this helps, please upvote or accept solution if it solved *

View solution in original post

0 Karma

splunkreal
Motivator

In this case review inputs.conf sourcetype and change it if you use default pretrained :

 

https://docs.splunk.com/Documentation/Splunk/9.3.0/Data/Listofpretrainedsourcetypes

 

"The source types marked with an asterisk ( * ) use the INDEXED_EXTRACTIONS attribute, which sets other attributes in props.conf to specific defaults and requires special handling to forward to another Splunk platform instance. See Forward fields extracted from structured data files."

* If this helps, please upvote or accept solution if it solved *
0 Karma
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...