We have a new Splunk system as the new log management system. Previously we used Manage Engine Enterprise Log Management. Ther about large amount of data that I need to get accross to the Splunk.
ELA indexed data is not encryoted. So I just copied the data files to the Splunk server local drive and then ran the add files/directoris to preview it and it looks ok.
My question is is this the right way to do this. Sicen I am going to frozen this data after loading to splunk I am going to create a new indeexed so it will not get confused with teh current data coming in. This is once of operation and once I am through with all the data to Splunk then ELA will be decommisioned.
Also these data consits of Windows event logs Active Direcoty , Linux and Network device syslogs. When I load these to Splunk how will it pickup the source types? Do I have manually mentioned the source type?