https://community.splunk.com/t5/Getting-Data-In/What-tips-or-documentation-can-help-me-with-a-first-time-Splunk/m-p/152012#M30935 <P>Greetings -- Long time user, first-time SysAdmin (of SPLUNK) I'm sure this is documented, but can someone point me to the specific info I need, or supply some tips? I can read about all this just fine, if someone can point me at the specific docs needed...</P> <P>1.) I have three different types of Syslog coming in; Firewall, Windows, and Linux. I guess this means I need three different SourceTypes, so a different set of Interesting Fields is pulled out for each? How do I create 3 custom SourceTypes each with its own set of Interesting Fields...?</P> <P>2.) I need to store the raw syslog data for my Firewalls, Windows &amp; Linux machines on the SPLUNK server, so it can be viewed by auditors. How do I configure that? --How can I configure aging / archiving of these syslog entries? (three different directory paths for three different types of syslog)</P> <P>3.) I currently am using one SourceType, and I have a single firewall using it. I'm displaying way more Interesting Fields than what I need. For instance, I'm displaying "hours", and all my entries have 24 values (zero through 23) ; this is useless. How can I get SPLUNK to stop spinning CPU cycles, indexing data on useless fields? There's a good chance I'll be forced to do this on a Virtual Machine, so I only want SPLUNK spending I/O on fields that I say are interesting...</P> <P>THanks!</P> Tue, 16 Dec 2014 19:12:31 GMT batsona 2014-12-16T19:12:31Z https://community.splunk.com/t5/Getting-Data-In/What-tips-or-documentation-can-help-me-with-a-first-time-Splunk/m-p/152012#M30935 <P>Greetings -- Long time user, first-time SysAdmin (of SPLUNK) I'm sure this is documented, but can someone point me to the specific info I need, or supply some tips? I can read about all this just fine, if someone can point me at the specific docs needed...</P> <P>1.) I have three different types of Syslog coming in; Firewall, Windows, and Linux. I guess this means I need three different SourceTypes, so a different set of Interesting Fields is pulled out for each? How do I create 3 custom SourceTypes each with its own set of Interesting Fields...?</P> <P>2.) I need to store the raw syslog data for my Firewalls, Windows &amp; Linux machines on the SPLUNK server, so it can be viewed by auditors. How do I configure that? --How can I configure aging / archiving of these syslog entries? (three different directory paths for three different types of syslog)</P> <P>3.) I currently am using one SourceType, and I have a single firewall using it. I'm displaying way more Interesting Fields than what I need. For instance, I'm displaying "hours", and all my entries have 24 values (zero through 23) ; this is useless. How can I get SPLUNK to stop spinning CPU cycles, indexing data on useless fields? There's a good chance I'll be forced to do this on a Virtual Machine, so I only want SPLUNK spending I/O on fields that I say are interesting...</P> <P>THanks!</P> Tue, 16 Dec 2014 19:12:31 GMT https://community.splunk.com/t5/Getting-Data-In/What-tips-or-documentation-can-help-me-with-a-first-time-Splunk/m-p/152012#M30935 batsona 2014-12-16T19:12:31Z https://community.splunk.com/t5/Getting-Data-In/What-tips-or-documentation-can-help-me-with-a-first-time-Splunk/m-p/152013#M30936 <P>1) I use syslog as the source type. I use <STRONG>host_regex</STRONG> in the inputs to properly set the host name, all the logs have the server name included. I use a transform to add a friendly log name base of the source, not necessary bu some of my user find this handy.</P> <P>2) You want to manage your buckets to move data. I use volumes to keep relevant data on fast disk and aged data goes to slow disk.<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Configureindexstoragesize">http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Configureindexstoragesize</A></P> <P>3) You want to make sure you have the right search mode selected, fast is your friend.<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.2.1/Search/Changethesearchmode">http://docs.splunk.com/Documentation/Splunk/6.2.1/Search/Changethesearchmode</A></P> Wed, 21 Jan 2015 18:12:45 GMT https://community.splunk.com/t5/Getting-Data-In/What-tips-or-documentation-can-help-me-with-a-first-time-Splunk/m-p/152013#M30936 trsavela 2015-01-21T18:12:45Z