Getting Data In

Logs defaulting into _internal

u2s1e0n2
New Member

I changed the Index I am sending logs to and then reloaded the server-class but my logs are ending up in _internal not the new index. What could I be doing wrong and how do I get my logs to show in the right Index?

Tags (1)
0 Karma

u2s1e0n2
New Member

Thanks for the reponse. I had an app with index= abc indexing data. But I had to transfer the app to a PCI complaint index =abc_sec. I made changes to the the inputs.conf substituting index=abc with index =abc_sec.
Reloaded the serverclass and then the logs are showing up in _internal.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

How did you change the index? What do your inputs look like for the data you are collecting?

index = mytargetindex

That should be on your file inputs, unless you are redirecting these at index time?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi u2s1e0n2,
could you share more information? which logs are you speking about?
if you're speking about splunkd, metrics, etc... you have to copy $SPLUNK_HOME/etc/system/default/inputs.conf in $SPLUNK_HOME/etc/system/local/inputs.conf and then modify index option in the related stanzas.
Anyway, why do you want to change the destination index of Splunk Internal logs? it isn't a good idea and not aligned with Splunk best practices!

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...