Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

UF data going to wrong index

whar_garbl
Path Finder
‎10-06-2021 04:06 PM

I have a UF on an rsyslog server. The UF is forwarding logs to the indexer successfully, but one of my two input flows is going to the wrong index, and I can't figure it out. 

inputs.conf

[monitor:///path/number/one/*]

index = first_index

sourcetype = first_index

host_segment = 4

disabled = false

[monitor:///path/number/two/*]

index = second_index

sourcetype = second_index

host_segment = 4

disabled = false

Data of sourcetype second_index makes it to the corresponding index, but data of sourcetype first_index ends up in the main index. 

The only props and transforms I have configured are from the VMware add-on and its accessories, but I've scoured its conf files and have not found anything that would send this non-VMware data to main instead of where it belongs when it's specified in $SPLUNK_HOME/etc/system/local/inputs.conf.

Any ideas? Thx!

Labels (1)
Labels
0 Karma
Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎10-06-2021 08:35 PM

Hello @whar_garbl 

Can you run following btool command from splunk bin directiry to check runtime confguration of inputs config

its shows inputs config from all splunk directory to check any thoer stanza which is taking precence to send the data to main index instaed of first_index for source /path/number/one/*


splunk btool inputs list --debug 

sample output

SanjayReddy_0-1633577655525.png

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...