Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

UF data going to wrong index

whar_garbl
Path Finder
‎10-06-2021 04:06 PM

I have a UF on an rsyslog server. The UF is forwarding logs to the indexer successfully, but one of my two input flows is going to the wrong index, and I can't figure it out. 

inputs.conf

[monitor:///path/number/one/*]

index = first_index

sourcetype = first_index

host_segment = 4

disabled = false

[monitor:///path/number/two/*]

index = second_index

sourcetype = second_index

host_segment = 4

disabled = false

Data of sourcetype second_index makes it to the corresponding index, but data of sourcetype first_index ends up in the main index. 

The only props and transforms I have configured are from the VMware add-on and its accessories, but I've scoured its conf files and have not found anything that would send this non-VMware data to main instead of where it belongs when it's specified in $SPLUNK_HOME/etc/system/local/inputs.conf.

Any ideas? Thx!

Labels (1)
Labels
0 Karma
Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎10-06-2021 08:35 PM

Hello @whar_garbl 

Can you run following btool command from splunk bin directiry to check runtime confguration of inputs config

its shows inputs config from all splunk directory to check any thoer stanza which is taking precence to send the data to main index instaed of first_index for source /path/number/one/*


splunk btool inputs list --debug 

sample output

SanjayReddy_0-1633577655525.png

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...