Unable to send data to multiple indexes using raw ...

ramganeshn · ‎10-16-2020

We are trying to send data to raw endpoint via Splunk HEC. When we do so, the data is always sent only to the default index and is not sent to the other indexes. Can someone guide us on how to have this resolved? Any idea? The scenario is as below:

[http://LGS-HEC-PROD]
disabled = 0
index = index_one
indexes = index_one,index_two,index_three,index_four,index_five
token = <OUR_HEC_TOKEN>

We are trying to send data from splunk-library-javalogging and to the raw endpoint of our Splunk HEC. So, whenever we send changing the index from index_one to index_two or index_three, the events are still written to the index_one(Which is the default index index = index_one). This is not happening with the event endpoint and happens only with the raw endpoint. Is this a limitation with the Splunk HEC or are we missing something on this. Please advise.

lbruhns · ‎04-02-2021

info on this seems sparse i have a similar challenge with k8s coing over hec, i'd like to be able to have more htan one index per token but how does it route?

Unable to send data to multiple indexes using raw endpoint in Splunk HEC

administration

configuration

troubleshooting

using Splunk Enterprise

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation