Re: Allowed customisation of target index is not u...

FloSwiip · ‎03-26-2019

Hello,

In the » Data inputs » Symantec Web Security Service Configuration there is a » More settings
where it seems possible to specify a custom Index

But this value is never used after and at the end the logs are still going to index=main

The only way to do that customization is to add a local file, and put target index info here :
/opt/splunk/etc/apps/TA-SymantecWebSecurityService/local/inputs.conf

[batch://$SPLUNK_HOME/var/spool/splunk/...stash_ta_scwss_logs.zip]
index = bluecoat
[batch://$SPLUNK_HOME\var\spool\splunk\...stash_ta_scwss_logs.zip]
index = bluecoat

Best regards

_smp_ · ‎05-06-2019

Thank you for this post! I didn't even give those batch inputs a second thought when I first saw them. We struggled with this same issue and once I read your post, I immediately understood what the issue was and how to fix it.

For anyone else who might read this, the TA works in two steps:
1) The 'scwss-poll' modular input of inputs.conf pulls down an access log from the internet-based web service and drops it on the Splunk filesystem in the '/opt/splunk/var/spool/splunk/' directory.
2) The batch inputs of inputs.conf index the files.

So if you want to change the index name, you need to add the custom 'index = ' parameter to the batch input, since that is the input that indexes the events.

Thanks again!

leeosutter · ‎07-31-2020

Tried adding the stanza for custom index and still not seeing data in that index.

Allowed customisation of target index is not used

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk