You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am working with our splunk admin, but we cannot get the logs to appear anywhere but "main". We are using an HEC token. Logs make it to splunk (Using splunk cloud) main index without issue. But if we set the token to go to a specific index, or try to change the index we see things like:
parsing_err="invalid_index='main'"
I also tried to edit the metadata csv file using something like:
some_label,index,my_custom_index
But no luck. I am new to splunk, and I apologize if this is a dumb post, but I am not sure where to start. Any ideas?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
I am working with our splunk admin, but we cannot get the logs to appear anywhere but "main". We are using an HEC token. Logs make it to splunk (Using splunk cloud) main index without issue. But if we set the token to go to a specific index, or try to change the index we see things like:
I also tried to edit the metadata csv file using something like:
But no luck. I am new to splunk, and I apologize if this is a dumb post, but I am not sure where to start. Any ideas?
Beta Was this translation helpful? Give feedback.
All reactions