Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why did the Data not move to the new index?

allen_hunter
Explorer
‎03-26-2022 10:15 AM

We have upgraded our NIPS and the management tool has a different IP address than the old one. The NIPS is sending data to our syslog server and putting it in our unassigned folder. I edited the syslog filters to put any messages from the new IP address in the NIPS folder for monitoring. I have restarted the syslog-ng service and the Splunk service.

I have confirmed the logs are being written to the NIPS folder on the syslog server now, but Splunk is still importing them to the unassigned index instead of the NIPS index and showing the source as the old folder. I have also confirmed that no new entries have been put in the old folder since the change.

The inputs.conf looks like this. Where else can I look that might be causing the data to not go into the NIPS index?

 

 

[monitor:///app01/syslog/data/siem01/nips/.../*messages]
_rcvbuf = 1572864
disabled = false
host = siem01
host_segment = 6
index = nips
sourcetype = mcafee:ips
[monitor:///app01/syslog/data/siem01/unassigned/.../*messages]
_rcvbuf = 1572864
disabled = false
host = siem01
host_segment = 6
index = unassigned
sourcetype = syslog

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎03-26-2022 10:47 AM

Check your effective config with btool

splunk btool inputs list --debug

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎03-26-2022 10:47 AM

Check your effective config with btool

splunk btool inputs list --debug
0 Karma
Reply
Solved! Jump to solution

allen_hunter
Explorer
‎03-26-2022 01:53 PM

Thanks, the info I posted above was from the btool output which is why I was so confused. 

I walked away from the computer and an hour or so later, everything started working as expected. I am happy that it is working now, but am really confused why it took so long for the configs to take effect.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-26-2022 03:56 PM

Are you sure you don't have badly set time parsing? Especially concerning time zones.

It' a fairly typical issue if your events' timestamps get parsed as "in the future" (for example because the source is reporting in CET and splunk assumes it's GMT).

Since by default you're seeing "Last X minutes/hours", which translates to "earliest=-something latest=now", you don't see the events that have already been indexed but have bad timestamp. So you see the events as if they were being indexed properly whereas in fact you're looking at events from some time ago.

0 Karma
Reply
Solved! Jump to solution

allen_hunter
Explorer
‎03-28-2022 08:08 AM

Thanks. I'll check that.

Still very new to the admin side of things and learning what to check for.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...