Hello,
In the » Data inputs
» Symantec Web Security Service Configuration
there is a » More settings
where it seems possible to specify a custom Index
But this value is never used after and at the end the logs are still going to index=main
The only way to do that customization is to add a local file, and put target index info here :
/opt/splunk/etc/apps/TA-SymantecWebSecurityService/local/inputs.conf
[batch://$SPLUNK_HOME/var/spool/splunk/...stash_ta_scwss_logs.zip]
index = bluecoat
[batch://$SPLUNK_HOME\var\spool\splunk\...stash_ta_scwss_logs.zip]
index = bluecoat
Best regards
Thank you for this post! I didn't even give those batch inputs a second thought when I first saw them. We struggled with this same issue and once I read your post, I immediately understood what the issue was and how to fix it.
For anyone else who might read this, the TA works in two steps:
1) The 'scwss-poll' modular input of inputs.conf pulls down an access log from the internet-based web service and drops it on the Splunk filesystem in the '/opt/splunk/var/spool/splunk/' directory.
2) The batch inputs of inputs.conf index the files.
So if you want to change the index name, you need to add the custom 'index = ' parameter to the batch input, since that is the input that indexes the events.
Thanks again!
Tried adding the stanza for custom index and still not seeing data in that index.