All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

For Symantec Web Security Service App for Splunk and TA: Why are events getting indexed in "main" index only?

pateriaak
Explorer
‎05-02-2019 11:18 AM

TA-SymantecWebSecurityService pulls data from Symantec Web Security Service via REST endpoint. I installed Symantec Web Security Service App for Splunk and TA, events are indexing in "main" index only. I defined separate index for this App and referenced in input.conf. Still can not figure out why events are indexing in main index. Any lead will be helpful. Thank you!

Labels (1)
0 Karma
Reply

nkpiquette
Path Finder
‎10-28-2019 12:34 PM

@scottprigge posted this answer in his linked thread, but I wanted to post the text here for those coming in from Google:

Thank you for this post! I didn't even give those batch inputs a second thought when I first saw them. We struggled with this same issue and once I read your post, I immediately understood what the issue was and how to fix it.

For anyone else who might read this, the TA works in two steps:
1) The 'scwss-poll' modular input of inputs.conf pulls down an access log from the internet-based web service and drops it on the Splunk filesystem in the '/opt/splunk/var/spool/splunk/' directory.
2) The batch inputs of inputs.conf index the files.

So if you want to change the index name, you need to add the custom 'index = ' parameter to the batch input, since that is the input that indexes the events.

Thanks again!

Reply

_smp_
Builder
‎05-06-2019 10:16 AM

The answer to this question lies in another post on this topic. See https://answers.splunk.com/answers/735808/allowed-customisation-of-target-index-is-not-used.html

0 Karma
Reply

pateriaak
Explorer
‎05-06-2019 11:16 AM

@scottprigge - thanks!

0 Karma
Reply

lakshman239
SplunkTrust
SplunkTrust
‎05-03-2019 03:41 AM

Have you defined the local/inputs.conf with new index on the TA? [ data collection point]? You can also run the splunk btool to check if your inputs.conf if picked up/precedence.

0 Karma
Reply

pateriaak
Explorer
‎05-06-2019 11:12 AM

@lakshman239 - yes I defined new index in local inputs.conf, however there were batch input which required new index definition -

[batch://$SPLUNK_HOME/var/spool/splunk/...stash_ta_scwss_logs.zip]
index = new index

0 Karma
Reply

adobrzeniecki_s
Splunk Employee
Splunk Employee
‎05-03-2019 07:21 AM

The input gets created in the app not the TA

0 Karma
Reply

pateriaak
Explorer
‎05-06-2019 11:15 AM

@adobrzeniecki_splunk yes, when you defined modular input through GUI it gets created in App however I defined through CLI in TA under local/inputs.conf, that worked too!

0 Karma
Reply

NDabhi21
Explorer
‎02-07-2023 05:18 AM

Dear all,

Small doubt for this topic.

If some custom index name given in sourcetype instead of "main" index, whether  Index need to be created by CLI or it created by the index API ?

NDabhi21_0-1675775710871.png

 

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...