Spool vs OneShot

ebwong · ‎10-27-2021

What is the difference between using Spool vs OneShot CLI commands? Unfortunately I'm unable to install UFs or directly poll the logs and need to index tar.gz. Is there a performance benefit? Does using spool allow the indexer Splunk server to index the data in the background?

isoutamo · ‎10-27-2021

Hi

Those are described here https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/MonitorfilesanddirectoriesusingtheCLI

check also this https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Monitorfilesanddirectories

r. Ismo

ebwong · ‎10-27-2021

@isoutamo Thanks for the links to documentation, I'm still not entirely sure in what cases one is better than the other.

Spool vs OneShot

heavy forwarder

scripted input

universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation

Spool vs OneShot

heavy forwarder

scripted input

universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A