Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Syslog data going to lastchanceindex

Dominic32
Explorer
‎10-27-2023 03:53 PM

I added a new syslog source using upd port 514. The data is being ingested into "lastchanceindex". How can I find out what index splunk "wants" to put the data into, so that I can create that index? Or how can I specify an index without disrupting the other syslog data sources?

We use udp://514 for many different syslog data sources, so specifying all of it to go to one index wouldn't work.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Dominic32
Explorer
‎10-27-2023 04:47 PM

I was able to resolve the issue. in the _internal index, the following events were generated. I used this to determine which index Splunk wanted to sort the events into, and created it.

Search peer mysplunkidxs.splunkcloud.com has the following message: Redirected event for unconfigured/disabled/deleted index=intended_index with source="source::1234" host="host::abc" sourcetype="sourcetype::456:efg" into the LastChanceIndex. So far received events from 1 missing index(es).

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Dominic32
Explorer
‎10-27-2023 04:47 PM

I was able to resolve the issue. in the _internal index, the following events were generated. I used this to determine which index Splunk wanted to sort the events into, and created it.

Search peer mysplunkidxs.splunkcloud.com has the following message: Redirected event for unconfigured/disabled/deleted index=intended_index with source="source::1234" host="host::abc" sourcetype="sourcetype::456:efg" into the LastChanceIndex. So far received events from 1 missing index(es).
0 Karma
Reply
Solved! Jump to solution

enzomialich
Path Finder
‎10-27-2023 04:41 PM

IMO you should use a HF for this.

HF will route data based on its contents. So if a log comes with something "trend micro" send to a specific index.

It will be something like this: Solved: How do I route data to specific index based on a f... - Splunk Community

 

 

0 Karma
Reply
Solved! Jump to solution

Dominic32
Explorer
‎10-27-2023 04:44 PM

We are using 2 load balanced HFs for this.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

To help practitioners build a stronger foundation, we launched the Data Management & Federation ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...