Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I populate my sources, source types and hosts tables?

remmerson
Engager
‎02-15-2017 06:16 PM

For quite a while, I've been attempting to make an identical deployment of a Splunk Enterprise instance.
The original one I have is working just fine, however I've tried multiple ways to get the exact same data from the original deployment into the new deployment, with little success. The data inputs I have entered are pretty much exactly the same as the original, however I've only got one entry under 'Sources', one entry under 'Source types' and one entry under 'Hosts' on the new deployment.
In contrast, the original deployment has 231 entries under 'Sources', 3 entries under 'Source types' and 90 entries under 'Hosts'.

The most recent thing I have tried is follow this article to try and get the sourcetypes in (http://docs.splunk.com/Documentation/Splunk/5.0.3/Data/Createsourcetypes) to no avail.

I would appreciate any advice for trying to get this data into the new deployment of Splunk. Let me know if you have any other questions. Cheers.

0 Karma
Reply

jtrucks
Splunk Employee
Splunk Employee
‎02-16-2017 03:53 AM

Those lists aren't in a table, they are gathered from searching your existing indexed data. If you are not ingesting the same sources and source types from the same hosts, the lists will be different. Those three items are simply fields like any other from your data in Splunk.

If you want to replicate your entire Splunk ES instance, copy the whole $SPLUNK_HOME folder, then change configs as needed for the new hostname or other items needed. This will copy your existing data and the lookups needed to match your current installation.

--
Jesse Trucks
Minister of Magic
Reply

remmerson
Engager
‎02-16-2017 07:11 PM

Thanks for you answer, however, doing a migration doesn't exactly fulfil the criteria I am trying to achieve at the moment.
My problem is that I am trying to make a new Splunk instance from scratch, and have it receive the same information that the current one is by manually modifying the configuration, settings, etc.
At the moment, the new instance is receiving some data, but not all of it.

From my understanding, the data is being sent from a separate rsyslog server, and it has been configured correctly to forward syslog files and other data to both the current and new splunk instances I have (I am pretty sure that the error is not on rsyslog's end).
So to rephrase, my real question is what exactly do I need to manually configure so that splunk receives and displays all of the data?

Please forgive me for my lack of knowledge; I am new to Splunk and my understanding of how to set it up isn't fantastic.

I'm happy to provide screenshots to provide more information if you'd like. Cheers.

0 Karma
Reply
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...