Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Index name not showing up HTTP Event Collector(HEC) new token creation

gnanaraj_mcc
Loves-to-Learn Lots
‎04-23-2018 07:36 AM

Hi,
For PCF (Pivotal Cloud Foundry). i am using HEC on the heavy forwarder. i have created a new index for these events. while generating the token, Available item(s) for index is showing main, history, summary and default.
it is not showing the index which i have created.

what is that i am missing.

should i leave it default and when PCF connects using the token, it will get updated to the index which i specify in PCF?

thank you

0 Karma
Reply

Santhosh_LMI
Engager
‎04-23-2018 10:43 AM

I have the same issue. We are using Splunk Intermediate forwarder through AWS. I am seeing indexes and the index what I need is not there.

0 Karma
Reply

adonio
Ultra Champion
‎04-23-2018 10:38 AM

create the index also on the HF so itts name populates to your dropdown
otherwise, manually edit inputs.conf

Reply

Santhosh_LMI
Engager
‎12-04-2018 11:16 AM

We are using SplunkCloud. Yesterday Splunk upgraded the version with 7.0.5 and that has fix . Now I can see all the indexes in HEC

0 Karma
Reply

davidaj
Loves-to-Learn
‎12-05-2018 07:17 AM

We are currently on 7.0.4 in our cert environment. I will see about updating to see if the behavior changes. Thanks.

0 Karma
Reply

davidaj
Loves-to-Learn
‎12-04-2018 06:46 AM

Would this apply to a distributed environment? We are having a similar issue trying to generate tokens from the cluster master but only seeing the default indexes as options and not our custom indexes.

0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎12-04-2018 11:07 AM

Yea, exactly. The UI itself won't show the indexes on your indexers. I deploy a listing of the indexes to many places for this reason (but make sure no local indexing occurs - just forwarding to indexers).

0 Karma
Reply

davidaj
Loves-to-Learn
‎12-05-2018 07:16 AM

Okay, thanks.

0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎05-10-2018 05:57 AM

Bingo. The definition of the index needs to exist on that HF instance in order for it to display on the dropdowns in the UI. As long as you have the data forwarding (not indexAndForward) from HF to Indexers then the index defined on the HF will only be a definition and contain no data.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...