We started collecting VPC flow logs at some point. But it started writing them to `/opt/splunk/var/lib/splunk/$INDEXNAME` instead of the `/EBS/$INDEXNAME` which is where the actual index I wanted to write was. This is only datamodel_summary info. When switched to default or main we see the same thing. It writes to the local / directory instead of EBS. Anyone know how to change this? So we decided to remove the vpc_flow information all together, but somehow it keeps coming in. I'm not sure how it's getting the info, how to make it stop, or how to make it at least go to the right place. Any ideas?
↧