Hello,
let me explain that what issues going on.
My splunk environment is same as below.
**UF -> HF -> Indexer**
and I'd like to do some ** 'csv file input test' UF to Indexer**
I 'd like to use 'monitor' and 'batch' to input the csv file
and UF inputs.conf is below.
=====================
[monitor:///var/log]
disabled = false
**index = kwon_test**
[batch:///tmp/c01.csv]
move_policy = sinkhole
disabled = 0
**index = kwon_test**
sourcetype = csv
========================
when I send the data from UF
As a result,
data which is use 'monitor ' was sended without any problems
But,
when 'batch' side, there is some little unclear things in the 'index location'
as you see upper inputs.conf,
I insert the index the 'kwon_test' both of monitor and batch side.
but when I check the below on Indexer,
======================
index = "kwon_test"
======================
/var/log is shown in "kwon_test" index but [batch] is in index = "main" in Indexer side.
Why are the index results location is different even though I have the same configuration?
↧