topic Re: Splunk Enterprise & UF on the same machine in Getting Data In

Splunk Enterprise & UF on the same machine

andresito123 — Fri, 24 Apr 2020 13:37:44 GMT

I have inherited a Splunk installation from the previous administrator where there is a heavy forwarder and a UF installed on the same machine.

Since this is a bad practice in terms of performance, I am planning to remove the UF and copy the relevant inputs files to the Splunk Enterprise instance (which acts as a heavy forwarder).

How can I avoid re-indexing the same logs when copying the inputs configuration from the HF to the UF (mainly Windows Events)?

Thanks.

Re: Splunk Enterprise & UF on the same machine

codebuilder — Fri, 24 Apr 2020 23:52:29 GMT

There are multiple methods you can use to solve this. Below are a few (all will involve first stopping the UF):

Rename the existing directory, then re-create it, and configure the HF to monitor.

Archive/compress the existing files and blacklist that file extension (.zip, .gz, etc.) on the HF.

If your existing files contain a timestamp in the file name, blacklist anything older than when you made the cut over from UF to HF.

Opposite of the above, whitelist any file with a timestamp newer than when you make the change.

Those are a few ideas, but again there are multiple ways to accomplish this.
This documentation may help as well:

https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Whitelistorblacklistspecificincomingdata

Re: Splunk Enterprise & UF on the same machine

andresito123 — Mon, 27 Apr 2020 09:48:01 GMT

ok thanks, those workarounds make sense!

Re: Splunk Enterprise & UF on the same machine

andresito123 — Thu, 30 Apr 2020 10:27:09 GMT

@codebuilder the majority are windows event logs, any ideas on how to archive them?