Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Syslog data going to lastchanceindex

Dominic32
Explorer
‎10-27-2023 03:53 PM

I added a new syslog source using upd port 514. The data is being ingested into "lastchanceindex". How can I find out what index splunk "wants" to put the data into, so that I can create that index? Or how can I specify an index without disrupting the other syslog data sources?

We use udp://514 for many different syslog data sources, so specifying all of it to go to one index wouldn't work.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Dominic32
Explorer
‎10-27-2023 04:47 PM

I was able to resolve the issue. in the _internal index, the following events were generated. I used this to determine which index Splunk wanted to sort the events into, and created it.

Search peer mysplunkidxs.splunkcloud.com has the following message: Redirected event for unconfigured/disabled/deleted index=intended_index with source="source::1234" host="host::abc" sourcetype="sourcetype::456:efg" into the LastChanceIndex. So far received events from 1 missing index(es).

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Dominic32
Explorer
‎10-27-2023 04:47 PM

I was able to resolve the issue. in the _internal index, the following events were generated. I used this to determine which index Splunk wanted to sort the events into, and created it.

Search peer mysplunkidxs.splunkcloud.com has the following message: Redirected event for unconfigured/disabled/deleted index=intended_index with source="source::1234" host="host::abc" sourcetype="sourcetype::456:efg" into the LastChanceIndex. So far received events from 1 missing index(es).
0 Karma
Reply
Solved! Jump to solution

enzomialich
Path Finder
‎10-27-2023 04:41 PM

IMO you should use a HF for this.

HF will route data based on its contents. So if a log comes with something "trend micro" send to a specific index.

It will be something like this: Solved: How do I route data to specific index based on a f... - Splunk Community

 

 

0 Karma
Reply
Solved! Jump to solution

Dominic32
Explorer
‎10-27-2023 04:44 PM

We are using 2 load balanced HFs for this.

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...