I changed the Index I am sending logs to and then reloaded the server-class but my logs are ending up in _internal not the new index. What could I be doing wrong and how do I get my logs to show in the right Index?
Thanks for the reponse. I had an app with index= abc indexing data. But I had to transfer the app to a PCI complaint index =abc_sec. I made changes to the the inputs.conf substituting index=abc with index =abc_sec.
Reloaded the serverclass and then the logs are showing up in _internal.
How did you change the index? What do your inputs look like for the data you are collecting?
index = mytargetindex
That should be on your file inputs, unless you are redirecting these at index time?
Hi u2s1e0n2,
could you share more information? which logs are you speking about?
if you're speking about splunkd, metrics, etc... you have to copy $SPLUNK_HOME/etc/system/default/inputs.conf in $SPLUNK_HOME/etc/system/local/inputs.conf and then modify index option in the related stanzas.
Anyway, why do you want to change the destination index of Splunk Internal logs? it isn't a good idea and not aligned with Splunk best practices!
Bye.
Giuseppe