- Find Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- methods for removing specific data performance
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi, i've been reading over the threads on the topic, and most splunkers are looking at removing some data for space-saving purposes, but I haven't come across any responses addressing performance.
our splunk data has a few different data types - analytics data, backup reports, internal testing logs and some others. while we want to keep analytics data for indefinite periods, I am finding that the reports are becoming very sluggish, and was wondering what approach would be best to strip out specific data. Would the ' | delete ' command prevent the events from being scanned during reporting and improve performance? Or is there another mechanism that would work better for this?
The sort of approach I am looking for, as an example, would be to remove / archive / purge:
- backup logs older than 14 days
- analytics / web access logs flagged as internal users or from certain IP addresses ("internal" based on a field extractor, IP based on inputlookup )
- application logs matching certain search terms older than 30 days
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
busy reading up on creating multiple indexes http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Setupmultipleindexes it offers what i am looking for.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what happens to data with a sourcetype of my_sourcetype that doesn't match the regex? does it go to the main index?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am following the example to try redirect a sourcetype to an alternative index. The sourcetype definition uses an extract. After adding the transforms to props.conf, I don't see the transformation in the web manager. This is what I have:
props.conf:
[my_sourcetype]
EXTRACT-backuplog = STATUS: \[Name: (?P<JobName>[^,]+), Result: (?P<JobResult>[^;]+);
TRANSFORMS-index = IndexRedirect
transforms.conf
[IndexRedirect]
REGEX = STATUS: \[Job:
DEST_KEY = _MetaData:Index
FORMAT = backup_index
How would I configure an extractor and a transform for a sourcetype?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
busy reading up on creating multiple indexes http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Setupmultipleindexes it offers what i am looking for.
Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...
Splunk Federated Analytics for Amazon Security Lake
Splunk With AppDynamics - Meet the New IT (And Engineering) Couple
