I almost hesitate to ask this because I know the answer must be simple.
I have a small indexer clustering environment with a cluster master and two indexers. I am successfully receiving UDP:514 data, but it is being placed into the main index.
I have created an app, $splunkhome/etc/master_apps/syslogapp
Inside that, in the local directory, I have created the following inputs.conf:
[udp://514]
connection_host = ip
sourcetype = syslog
disabled = 0
index = poc
I pushed the configuration bundle successfully, however, syslog data is still being sent to the main index, not poc.
What am I missing?
... View more