Hi Community, One of the log source (e.g. index=my_index) at my company's splunk became inter=main. After multiple investigation, i found that Infrastructure Team has refreshed the device to a new hardware due to product EOL (same brand, same product, e.g. Palo Alto 3020 to PA3220). Also, the device IP is changed. Thus, i have modified the monitoring path at inputs.conf in Add-on and distribute to HF by deployment server. Here is the example for what i modified: [monitor:///siem/data/syslog/192.168.1.101/*] #original ip was 192.168.1.100 disabled = false index = my_index sourcetype = my:sourcetype host_segment = 4 After such changes, i tried to verify the result on HF, the inputs.conf was successfully update to the new version. However, the logs remain to index=main when searching on Search Head after the changes i did above. Anyone know if any other thing i need to modify? Or else there are other root cause that making the logs fall under wrong index apart from the ip changes?
... View more