What are the things that you normally do as part of a Splunk server installation?
David Carasso published a nice list at http://www.innovato.com/splunk/GettingStarted.htm (and wrote a book too!)
But that list is about a lot of things besides a Splunk server set up.
I am not asking about forwarder setup here, although forwarders will probably be similar. I am looking for the things that you do to make sure that your Splunk server is "good" in the initial setup.
Can a CSV file already uploaded be changed or edited? I would like to know the best approach to treat currency ($ and negative in parenthesis) that gets moved as a string into Splunk, besides these two options:
1. Convert currency to numeric before loaded into Splunk
2. Do the conversion in the search
Here is some sample data:
ContractDate Amount VendorId Contract_Services
"Sep 25, 2012","$9,843.00","CN99999","FS SERVICES"
"Sep 25, 2012","$4,631.16","CN99999","FS SERVICES"
"Sep 25, 2012","($52,479.99)","CN99999","FS SERVICES"
Here is my personal list.
Edit the following configuration files in $SPLUNK_HOME/etc/system/local
inputs.conf server.conf web.conf ui-prefs.conf
Download and install the following apps:
Sideview Utils SOS SOS add-on Timewrap Splunk Common Information Model Splunk Deployment Monitor Splunk DB Connect Anything else that seems useful at the time
For a development server, also install
Splunk 6.x Dashboard Examples Splunk Web Framework Toolkit Splunk Dashboard Examples for 5+ (older)
Check indexes and inputs on all apps
Set Splunk for bootstart (Linux)
Also, here is the ui-prefs.conf that I like
[search] dispatch.earliest_time = -24h@h dispatch.latest_time = now [default] dispatch.earliest_time = -24h@h dispatch.latest_time = now
I got it from this very useful question-and-answer