Solved: inputs.conf and destination index

peter_gianusso · ‎09-14-2012

this stanza works and indexes events:

[monitor://\Njros1bva0624\c_root$\Program Files\eClarifyPM\eClarifyPM.log]

disabled = false

host = ECLARIFYLOG_HOST

alwaysOpenFile = 1

sourcetype = ECLARIFYLOG

If shutdown splunk, I clean the indexes, thenchange the above stanza to the stanza below and then restart splunk , this stanza does not result in any indexing of events:

[monitor://\Njros1bva0624\c_root$\Program Files\eClarifyPM\eClarifyPM.log]

disabled = false

host = ECLARIFYLOG_HOST

alwaysOpenFile = 1

sourcetype = ECLARIFYLOG

index=imaging]

The index, imaging, does exist.

Please advise

sieutruc · ‎09-14-2012

I think you should use search as: index=imaging .... Or you can go to Access Control->Role and add that index into your user's selected indexes. If not, try to restart again.

View solution in original post

sieutruc · ‎09-14-2012

I think you should use search as: index=imaging .... Or you can go to Access Control->Role and add that index into your user's selected indexes. If not, try to restart again.

peter_gianusso · ‎09-14-2012

Now I understand your comments about user's selected indexes..you need to add it to the role's default indexes..bingo!!

sieutruc · ‎09-14-2012

Try those commands
/opt/splunk/bin/splunk stop
/opt/splunk/bin/splunk clean eventdata [imaging|main]
/opt/splunk/bin/splunk start

peter_gianusso · ‎09-14-2012

the problem isn't a search. it doesn't index any files when I add the index=imaging.

inputs.conf and destination index

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases