This widget could not be displayed.
  • This widget could not be displayed.
  • This widget could not be displayed.
  • This widget could not be displayed.
  • All Apps and Add-ons

    Single Index (Historic Data) & Splunk Apps

    gdavid
    Path Finder

    I have a single index that has just been collecting data for months now. I want to use some splunk apps now (citrix / active directory / cisco) . How can i accomplish this?

    is the best plan of attack to export the data into the new databases? (how do i do that?)

    thanks in advance

    gd

    Tags (3)
    0 Karma

    gdavid
    Path Finder

    My end goal was to reindex the data for cisco security app.

    i ended up running a query for my cisco hosts.
    i export to raw

    then imported using
    splunk.exe add oneshot d:\gdtest.raw -host myHostIP -rename-source udp:514

    0 Karma

    vincesesto
    Communicator

    Not sure what the easy way to resolve this issue would be, but I would guess you could either, change the app to point to your old data as well as your new data or use the collect command to move the data into the newly created app index

    eg:

    index=oldindex | collect index=newindex

    The information you search for will then be piped into the index you need

    http://docs.splunk.com/Documentation/Splunk/latest/searchreference/collect

    Not sure if there is a better resolution to this

    0 Karma

    gdavid
    Path Finder

    sorry i'm new to splunk and its terminology.

    i have an existing splunk instance with a single index that has all my data.
    i have a new separate installation with 2 indexers and 1 search head.

    i've installed the citrix xendesktop/xenapp apps and i noticed how it auto created specific indexes. I just assumed that in order to use the different apps the data had to be in the specific indexes.

    0 Karma

    vincesesto
    Communicator

    Hey gd,
    I am not sure what you mean by exporting the data into new databases...With regards to using the splunk app, have you installed them yet and if so, is there no data displaying(Is this the issue you are facing?)
    Regards, Vince

    0 Karma
    Get Updates on the Splunk Community!

    Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

    WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

    Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

    Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

    Enterprise Security Content Update (ESCU) | New Releases

    In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...