Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Confused about the data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've enabled Forwarding & Receiving to accept input from the Universal Forwarder that I installed on my servers. Using Wireshark I know data is being sent to the Splunk server. I'm confused about the next steps in terms of indexing the data. Where is it being stored on my server? Do I need to add files on the server? How does the data get to them?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You add data inputs on the Universal Forwarders. The forwarders will read data from these inputs and forward that data to the main Splunk indexer. The indexer stores this data in its index, typically in $SPLUNK_HOME/var/lib/splunk, where $SPLUNK_HOME usually is /opt/splunk in *NIX installations and C:\Program Files\Splunk in Windows installations.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You add data inputs on the Universal Forwarders. The forwarders will read data from these inputs and forward that data to the main Splunk indexer. The indexer stores this data in its index, typically in $SPLUNK_HOME/var/lib/splunk, where $SPLUNK_HOME usually is /opt/splunk in *NIX installations and C:\Program Files\Splunk in Windows installations.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. You got me moving in the right direction.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Slowry - Ayn is right - post your q's re WI and Windows Mgmt as new q's - the tagging system works in your favour and you will be able to see 'related' if not similar q's people have had. The user experience on the App's release page makes for good reading at http://splunk-base.splunk.com/apps/22315/splunk-app-for-windows
Br, Dave
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's a separate question regarding those specific apps - best idea would be to post that on its own and tag it correctly, so people with knowledge of those apps (I don't have that, sorry) can see and respond.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, I see lots of data in the Main file. That's good.
I have Windows Intelligence & Windows Management Apps installed. How do I tell them to use the Main index? I see Indexes for WI, but they are empty, I don't think that's correct, but I don't know how to get the data to them.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
