Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Adding new data to Splunk

indikawimalasir
New Member
‎11-25-2012 02:42 PM

Hi,

We have a new Splunk system as the new log management system. Previously we used Manage Engine Enterprise Log Management. Ther about large amount of data that I need to get accross to the Splunk.

ELA indexed data is not encryoted. So I just copied the data files to the Splunk server local drive and then ran the add files/directoris to preview it and it looks ok.
My question is is this the right way to do this. Sicen I am going to frozen this data after loading to splunk I am going to create a new indeexed so it will not get confused with teh current data coming in. This is once of operation and once I am through with all the data to Splunk then ELA will be decommisioned.

Also these data consits of Windows event logs Active Direcoty , Linux and Network device syslogs. When I load these to Splunk how will it pickup the source types? Do I have manually mentioned the source type?

Thanks
Indika

Tags (5)
0 Karma
Reply

piebob
Splunk Employee
Splunk Employee
‎11-26-2012 08:06 AM

it sounds to me as though you're going about this correctly--bringing your legacy data into a separate index is a good call. one thing to make sure you understand is how Splunk archives/freezes data, described here:
http://docs.splunk.com/Documentation/Splunk/5.0/Indexer/Setaretirementandarchivingpolicy

in terms of the source types, if your data is of a standard format (AD, OS, and network devices are all pretty standard), Splunk should do the right thing by default. read more about that here:

http://docs.splunk.com/Documentation/Splunk/5.0/Data/Whysourcetypesmatter
http://docs.splunk.com/Documentation/Splunk/5.0/Data/Listofpretrainedsourcetypes

hope this is useful.

Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...