For various reasons (performance, not picking up files, etc) we are looking to migrate our syslog receiver from a universal forwarder to a lightweight forwarder.
I have installed the lightweight forwarder package and migrated configurations over, but I want to make sure I grab the checkpoint (place-in-the-file-marker) files, so that no repeat data is indexed. Where can I find these files?
As well, are there any additional considerations before I make the switch, anything else that should be copied over or potential pitfalls?
Thanks,
--adam
You need to get at minimum the $SPLUNK_HOME/var/lib/splunk/fishbucket directory. That's sufficient for file monitors. I believe if you use Windows Event Log inputs, there is another location you need to snag as well, but I don't know it off the top of my head.
You need to get at minimum the $SPLUNK_HOME/var/lib/splunk/fishbucket directory. That's sufficient for file monitors. I believe if you use Windows Event Log inputs, there is another location you need to snag as well, but I don't know it off the top of my head.
$SPLUNK_DB/persistentstorage (also for fschange).