All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

SRX Indexing

mad4wknds
Path Finder
‎01-25-2014 02:05 PM

I am able to see srx_logs in a new index "SRX" but I want it to go to the "main" index. I can not see SRX logs in the search app when changing Splunk>etc>System>local>Inputs.conf>[UDP://514] index=main

BTW:I can see other source types in the "main" index.

Tags (1)
0 Karma
Reply

sbrant_splunk
Splunk Employee
Splunk Employee
‎01-26-2014 10:48 AM

One possibility is that there is a transforms.conf being utilized that is forcing an index name. Are you using a Juniper app to view the data? This is probably the case if there happens to be an SRX index that you did not create.

There is also a possibility that the date/time extraction is not happening properly, or the timezone is not set properly. If that is the case and you're looking over a relative time period (say back 15 minutes) or even all-time, your search may not return the events showing up from the SRX. When running your search, select real-time -> All Time (real-time) on the time picker. This should show events coming in (if they actually are coming in) regardless of whether or not they have a future time set.

Reply

mad4wknds
Path Finder
‎01-26-2014 03:54 PM

I found the answer to my problem. I had never used the btool before. I analyzed the "default" props.conf file. and found some extra configs there.

OK I know not to modify default files. I just inherited this environment. Thanks for the suggestion.

0 Karma
Reply

sbrant_splunk
Splunk Employee
Splunk Employee
‎01-26-2014 12:35 PM

Splunk would not put the data in an index you created unless it's directed to. You can run btool to look at your active configuration and that may lead you to the answer:

splunk cmd btool inputs list --debug

http://docs.splunk.com/Documentation/Splunk/6.0.1/Troubleshooting/Usebtooltotroubleshootconfiguratio...

Reply

mad4wknds
Path Finder
‎01-26-2014 12:23 PM

I created the "SRX" index as a test to see if I could get any firewall data in the search app at all. I have the SRX app but I have to get it into the search app first. I have tried changing the index to "main" and "summary" neither of them work. No local Transforms.conf defined. And Date/Time extractions is not the issue.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...