Solved

Splunk Syslog Source Index Default Behavior When Not Specified

Forum|Forum|1 day ago
June 23, 2026
4 replies
0 views

LovingCribl
Participating Frequently

This message originated from Cribl Community Slack.
Click here to view the original link.

If the index of a Syslog source isn't specified in the Fields panel, which index would it go to in Splunk?

Best answer by Franco Bonecco

same logic as TCP

F

Franco Bonecco
Employee
Forum|Forum|1 day ago
June 23, 2026

Splunk TCP dests default to main , while HEC doesn't set one

Like

L

LovingCribl
Author
Participating Frequently
Forum|Forum|1 day ago
June 23, 2026

What about the Splunk Indexing Load Balancer destination?

Like

F

Franco Bonecco
Employee
Answer
Forum|Forum|1 day ago
June 23, 2026

same logic as TCP

Like

M

mario
Employee
Forum|Forum|1 day ago
June 23, 2026

You can also check if a "last chance" index is defined in indexes.conf. That defines a fallback destination for events destined for non-existent, disabled, or deleted indexes.

Like

Sign up

Using your Cribl Curious or University Account

Login to the community

Using your Cribl Curious or University Account

Scanning file for viruses.

This file cannot be downloaded