Getting Data In

Splunk Enterprise & UF on the same machine

andresito123
Communicator

I have inherited a Splunk installation from the previous administrator where there is a heavy forwarder and a UF installed on the same machine.

Since this is a bad practice in terms of performance, I am planning to remove the UF and copy the relevant inputs files to the Splunk Enterprise instance (which acts as a heavy forwarder).

How can I avoid re-indexing the same logs when copying the inputs configuration from the HF to the UF (mainly Windows Events)?

Thanks.

0 Karma
1 Solution

codebuilder
Influencer

There are multiple methods you can use to solve this. Below are a few (all will involve first stopping the UF):

Rename the existing directory, then re-create it, and configure the HF to monitor.

Archive/compress the existing files and blacklist that file extension (.zip, .gz, etc.) on the HF.

If your existing files contain a timestamp in the file name, blacklist anything older than when you made the cut over from UF to HF.

Opposite of the above, whitelist any file with a timestamp newer than when you make the change.

Those are a few ideas, but again there are multiple ways to accomplish this.
This documentation may help as well:

https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Whitelistorblacklistspecificincomingdata

----
An upvote would be appreciated and Accept Solution if it helps!

View solution in original post

0 Karma

andresito123
Communicator

@codebuilder the majority are windows event logs, any ideas on how to archive them?

0 Karma

codebuilder
Influencer

There are multiple methods you can use to solve this. Below are a few (all will involve first stopping the UF):

Rename the existing directory, then re-create it, and configure the HF to monitor.

Archive/compress the existing files and blacklist that file extension (.zip, .gz, etc.) on the HF.

If your existing files contain a timestamp in the file name, blacklist anything older than when you made the cut over from UF to HF.

Opposite of the above, whitelist any file with a timestamp newer than when you make the change.

Those are a few ideas, but again there are multiple ways to accomplish this.
This documentation may help as well:

https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Whitelistorblacklistspecificincomingdata

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

andresito123
Communicator

ok thanks, those workarounds make sense!

0 Karma
Get Updates on the Splunk Community!

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

[Coming Soon] Splunk Observability Cloud - Enhanced navigation with a modern look and ...

We are excited to introduce our enhanced UI that brings together AppDynamics and Splunk Observability. This is ...