Getting Data In

Why did the Data not move to the new index?

allen_hunter
Explorer

We have upgraded our NIPS and the management tool has a different IP address than the old one. The NIPS is sending data to our syslog server and putting it in our unassigned folder. I edited the syslog filters to put any messages from the new IP address in the NIPS folder for monitoring. I have restarted the syslog-ng service and the Splunk service.

I have confirmed the logs are being written to the NIPS folder on the syslog server now, but Splunk is still importing them to the unassigned index instead of the NIPS index and showing the source as the old folder. I have also confirmed that no new entries have been put in the old folder since the change.

The inputs.conf looks like this. Where else can I look that might be causing the data to not go into the NIPS index?

 

 

[monitor:///app01/syslog/data/siem01/nips/.../*messages]
_rcvbuf = 1572864
disabled = false
host = siem01
host_segment = 6
index = nips
sourcetype = mcafee:ips
[monitor:///app01/syslog/data/siem01/unassigned/.../*messages]
_rcvbuf = 1572864
disabled = false
host = siem01
host_segment = 6
index = unassigned
sourcetype = syslog

 

 

 

Labels (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

Check your effective config with btool

splunk btool inputs list --debug

View solution in original post

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Check your effective config with btool

splunk btool inputs list --debug
0 Karma

allen_hunter
Explorer

Thanks, the info I posted above was from the btool output which is why I was so confused. 

I walked away from the computer and an hour or so later, everything started working as expected. I am happy that it is working now, but am really confused why it took so long for the configs to take effect.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Are you sure you don't have badly set time parsing? Especially concerning time zones.

It' a fairly typical issue if your events' timestamps get parsed as "in the future" (for example because the source is reporting in CET and splunk assumes it's GMT).

Since by default you're seeing "Last X minutes/hours", which translates to "earliest=-something latest=now", you don't see the events that have already been indexed but have bad timestamp. So you see the events as if they were being indexed properly whereas in fact you're looking at events from some time ago.

0 Karma

allen_hunter
Explorer

Thanks. I'll check that.

Still very new to the admin side of things and learning what to check for.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...