Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Syslog data going to lastchanceindex

Dominic32
Explorer
‎10-27-2023 03:53 PM

I added a new syslog source using upd port 514. The data is being ingested into "lastchanceindex". How can I find out what index splunk "wants" to put the data into, so that I can create that index? Or how can I specify an index without disrupting the other syslog data sources?

We use udp://514 for many different syslog data sources, so specifying all of it to go to one index wouldn't work.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Dominic32
Explorer
‎10-27-2023 04:47 PM

I was able to resolve the issue. in the _internal index, the following events were generated. I used this to determine which index Splunk wanted to sort the events into, and created it.

Search peer mysplunkidxs.splunkcloud.com has the following message: Redirected event for unconfigured/disabled/deleted index=intended_index with source="source::1234" host="host::abc" sourcetype="sourcetype::456:efg" into the LastChanceIndex. So far received events from 1 missing index(es).

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Dominic32
Explorer
‎10-27-2023 04:47 PM

I was able to resolve the issue. in the _internal index, the following events were generated. I used this to determine which index Splunk wanted to sort the events into, and created it.

Search peer mysplunkidxs.splunkcloud.com has the following message: Redirected event for unconfigured/disabled/deleted index=intended_index with source="source::1234" host="host::abc" sourcetype="sourcetype::456:efg" into the LastChanceIndex. So far received events from 1 missing index(es).
0 Karma
Reply
Solved! Jump to solution

enzomialich
Path Finder
‎10-27-2023 04:41 PM

IMO you should use a HF for this.

HF will route data based on its contents. So if a log comes with something "trend micro" send to a specific index.

It will be something like this: Solved: How do I route data to specific index based on a f... - Splunk Community

 

 

0 Karma
Reply
Solved! Jump to solution

Dominic32
Explorer
‎10-27-2023 04:44 PM

We are using 2 load balanced HFs for this.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...