Why is TA_inix app generating false positive alert...

glpadilla_sol · ‎02-15-2022

Hello everyone,

We are using the Ta_nix add-on to get some logs from the Linux servers.

But we notice that at the Monitor console when we run the Health Check we get this Alert

That index comes from that specific app and looks like is generation a lot of sourcetypes. I checked the documentation and I cannot see it as a know issue.

So I would like to know if this is an expected behavior or if there is any way we can fix this.

Splunk Enterprise: 8.2.2 - over x86_64 x86_64 GNU/Linux

Splunk_TA_nix : 8.3.1

Thank you in advance

PickleRick · ‎02-16-2022

I'd treat this check as more of a "sanity check" than a really technical one. There is no real technical cons against having those sourcetypes. It's just that if you push many different sourcetypes into a single index, maybe it's a situation in which you'd like to split them into different indexes because the data in those sourcetypes is of completely separate types, uses and so on and you're gonna suddenly discover one day that you might want to limit access to only one of them. That's all.

Another situation where this would be worrying is if the data was getting into that index in an uncontrolled manner - as a default main index or if it was your last resort index.

glpadilla_sol · ‎02-16-2022

Thank you so much!

richgalloway · ‎02-15-2022

Some of the health checks are of limited utility. This is one of them. Ignore it or tune it so it stops reporting.

---
If this reply helps you, Karma would be appreciated.

Why is TA_inix app generating false positive alerts?

using Splunk Enterprise

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?