SC4S: parsing_err="Incorrect index, index='main'"

pepitogrillospl · ‎12-29-2023

Hi all,

I've setup am SC4S just to forward nix:syslog events.

In local/context/splunk_metadata.csv:

nix_syslog,index,the_index
nix_syslog,sourcetype,nix:syslog

Cant find the events inSplunk and splunkd.log is filling with:

12-29-2023 09:52:50.993 +0000 ERROR HttpInputDataHandler [2140 HttpDedicatedIoThread-0] - Failed processing http input, token name=the_token, channel=n/a, source_IP=172.18.0.1, reply=7, events_processed=1, http_input_body_size=1091, parsing_err="Incorrect index, index='main'"

The HEC probes at sc4s boot are successful and inserted in the correct index.

Any help would be really appreciated.

Thank you

Daniel

pepitogrillospl · ‎03-21-2024

Hi,

If I recall correctly at HEC token creation do not select any index , use local/context/splunk_metadata.csv for that. I think that fixed it.

Daniel

GetAGrip1011 · ‎03-21-2024

That makes sense. Thank you for replying. Do you have an example splunk_metadata.csv file? The Splunk documentation mentions separating items by vendor/type, but they do not mention where to find those.

GetAGrip1011 · ‎03-20-2024

Did you ever figure out a solution to this? Running into the same problem. Seems that there is an issue with where the HEC key points, and the actual index that gets populated.

SC4S: parsing_err="Incorrect index, index='main'"

HTTP Event Collector

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk