- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Splunk Add-On for S3 data inputs question
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In our test environment, we successfully setup the Splunk Add-on for Amazon S3 and pulled buckets so that we could view the data and make sure the props.conf settings were sorted out before we moved to production.
When we setup the same configuration in Production, we're only pulling 'new' buckets. We'd like to ingest all the same buckets that were pulled into our test environment. Is there some setting in the Add-on (or on the S3 side) that keeps track of what has already been pulled, thus preventing a duplicate pull?
Thanks very much,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you say you moved it from test to production, do they share the same devices that pull from S3 and just different indexers? The only thing I can think of is the pointers were already created so when you switched the outputs to a different indexer cluster you kept the previous pointers. Easiest way is to just clone/recreate the S3 inputs (assuming there aren't a ton of them) and it will reload them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ultimately I just wiped and reinstalled the app and reconfigured the inputs. The form has a place to enter the date that you're choosing to go back to, but after the first collection, the app seems to look somewhere else last_modified=2016-04-07T2 instead of the date that you enter via the UI ... gets it from
index_store.last_modified in s3_mod/aws_s3_data_loader.py
Anyway. Thank you. I'm all caught up now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you say you moved it from test to production, do they share the same devices that pull from S3 and just different indexers? The only thing I can think of is the pointers were already created so when you switched the outputs to a different indexer cluster you kept the previous pointers. Easiest way is to just clone/recreate the S3 inputs (assuming there aren't a ton of them) and it will reload them.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
