Getting Data In: Platform (EMEA) - Wed 9/6/23

Community Office Hours
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Getting Data In: Platform (EMEA) - Wed 9/6/23

Getting Data In: Platform (EMEA) - Wed 9/6/23

1 Comment
Cover Images - Office Hours (3) (1).png
Published on ‎08-02-2023 01:17 PM by Splunk Employee | Updated on ‎09-11-2023 03:29 PM

[EMEA-friendly: 8am PT / 4pm UK time] - Register here and ask questions below. This thread is for the Community Office Hours session on Getting Data In (GDI) to Splunk Platform on Wed, September 6, 2023 at 8am PT / 11am ET / 4pm UK time

 

This is your opportunity to ask questions related to your specific GDI challenge or use case, including:

  • How to onboard common data sources (AWS, Azure, Windows, *nix, etc.)
  • Using forwarders
  • Apps to get data in
  • Data Manager (Splunk Cloud Platform)
  • Ingest actions, archiving your data, and anything else you’d like to learn!

 

Please submit your questions at registration or as comments below. You can also head to the #office-hours user Slack channel to ask questions (request access here)

 

Pre-submitted questions will be prioritized. After that, we will go in order of the questions posted below, then will open the floor up to live Q&A with meeting participants. If there’s a quick answer available, we’ll post as a direct reply.

 

Look forward to connecting!


adepp
Splunk Employee
Splunk Employee
‎09-11-2023 03:28 PM
‎09-11-2023 03:28 PM

Here are a few questions from the session (get the full Q&A deck and live recording in the #office-hours Slack channel):

 

Q1: How to get a python script that run REST API calls to work with python3 on the HF in case python2 is withdrawn

  • How to make Python 2 compatible Splunk app a python 3 compatible
    • Rewrite app so that it’s Python 3 compatible only (e.g. in Splunk 9.x)
    • Rewrite app so that it’s “dual-compatible” to support both Python 2.x and Python 3.x. 
      • Suggested for all developers
      • You can use Splunk provided dual-compatibility libraries: six, python-future, 2to3 (in this order)
      • Caveat - using libraries above might not help in all cases (manual fixes necessary)

Q2: In case we have a lot of scheduled saved searches and not so many adhoc what we can fine tune to not have the searches delayed?

  • Maximize search slots on SH - see Splunk .conf17 slide deck: https://conf.splunk.com/files/2017/slides/splunk-enterprise-security-health-check.pdf
  • Optimize SPL code
  • Optimize resource usage during indexing on IDX
  • Optimize resource usage during searching on IDX
  • Spread your scheduled searches over the time
  • Boost resources (CPU, RAM, IOPS) - Add more cores (both to SH and possibly to IDX) if you hit search-slots limit. Splunk reference server hardware specs.

Q3: Splunk Edge Processor - is it possible to both filter data A and send A' to Splunk Cloud and simultaneously send A to S3 bucket?

  • Yes. This is a standard use case and one that customers asked for. All data (A) goes to S3 (unfiltered) to be searched later only if necessary. And filtered (more relevant) data (A’) goes to Splunk Cloud.

Other Questions (check the #office-hours Slack channel for responses):

  • What are the different options to get data in?
  • Swift alliance log integration with Splunk. We were collecting the log from Swift application using SNMP V2 but is stopped.
  • Edge Processor demo
  • GDI resources for Observability (Azure, server less functions, K8 micro services, etc.)
  • Additional GDI resources (free courses, .conf sessions, tech talks, etc.)
0 Karma