Hello All,
I'm using the Splunk_TA_windows app from Splunk to understand windows data. I've modified the app to pour data into the indexes of my choice and everything works fine (I've deployed the Splunk_TA_Windows to all the windows nodes and they are pouring data back as I've specified With the exception of one sourcetype.
Sourcetype = ActiveDirectory
This sourcetype pours it's data into the "main" index. I desire all of ActiveDirectory info to be poured into index = a
As a test to determine how the data was being poured in, i temporarily disabled the Splunk_TA_windows app from it's server class. All of the "ActiveDirectory" info stopped being poured in as the Windows deployment app was dsiabled. Once I turned the app back on all the data began to pour back in (to the main index).
I also noticed under "All Configurations" that the Sourcetype ActiveDirectory had 3 entries all showed the config type was props-extract
I then Navigated over to $SPLUNK_HOME/etc/system/local/ to see if there was an entry made there that would cause this and I see nothing. I tried to create and entry and specify the index = a but it had no affect.
It appears that whatever is causing the sourcetype = ActiveDirectory to pour it's data into main is directly tied o the Splunk_TA_windows app. I cannot locate where or how to modify it so that the Active Directory info goes to the index of my choosing. Thank you for your assistance.
The admon
input included in the TA doesn't list a sourcetype
in its default inputs.conf (it's set in code somewhere), so it may not stand out when looking for it, but you can see your admon inputs thusly:
[splunk@indexer ~]$ ./bin/splunk btool inputs list admon
[admon://default]
disabled = 1
host = indexer
index = default
monitorSubtree = 1
This is what is in the default input listing in the TA:
[admon://default]
disabled = 1
monitorSubtree = 1
Wherever you have enabled admon://default
is where you should add index = <new index>
.
When this sort of thing happens on our environment I use the btool feature to make sure the config loaded corresponds to what I am expecting.
./splunk cmd btool inputs list
You can add "--debug" at the end of the command to see what config file causes what
./splunk cmd btool inputs list --debug
Write it to a file and start digging for the sourcetype you are looking for 🙂
The admon
input included in the TA doesn't list a sourcetype
in its default inputs.conf (it's set in code somewhere), so it may not stand out when looking for it, but you can see your admon inputs thusly:
[splunk@indexer ~]$ ./bin/splunk btool inputs list admon
[admon://default]
disabled = 1
host = indexer
index = default
monitorSubtree = 1
This is what is in the default input listing in the TA:
[admon://default]
disabled = 1
monitorSubtree = 1
Wherever you have enabled admon://default
is where you should add index = <new index>
.