UF data going to wrong index

whar_garbl · ‎10-06-2021

I have a UF on an rsyslog server. The UF is forwarding logs to the indexer successfully, but one of my two input flows is going to the wrong index, and I can't figure it out.

inputs.conf

[monitor:///path/number/one/*]

index = first_index

sourcetype = first_index

host_segment = 4

disabled = false

[monitor:///path/number/two/*]

index = second_index

sourcetype = second_index

host_segment = 4

disabled = false

Data of sourcetype second_index makes it to the corresponding index, but data of sourcetype first_index ends up in the main index.

The only props and transforms I have configured are from the VMware add-on and its accessories, but I've scoured its conf files and have not found anything that would send this non-VMware data to main instead of where it belongs when it's specified in $SPLUNK_HOME/etc/system/local/inputs.conf.

Any ideas? Thx!

SanjayReddy · ‎10-06-2021

Hello @whar_garbl

Can you run following btool command from splunk bin directiry to check runtime confguration of inputs config

its shows inputs config from all splunk directory to check any thoer stanza which is taking precence to send the data to main index instaed of first_index for source /path/number/one/*

splunk btool inputs list --debug

sample output

UF data going to wrong index

universal forwarder

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!