I've been fighting this for a week and just spinning in circles. I'm building a new distributed environment in a lab to prep for live deployment. All is RHEL 8, using Splunk 9.2. 2 indexers, 3 SH'...
See more...
I've been fighting this for a week and just spinning in circles. I'm building a new distributed environment in a lab to prep for live deployment. All is RHEL 8, using Splunk 9.2. 2 indexers, 3 SH's, cluster manager, deployment manager, 2 forwarders. Everything is "working" I just need to tune it now. The indexers are cranking out 700,000 logs per hour, and it's 90% coming off audit.log; the indexers processing the logs in and out of buckets. We have a requirement to monitor audit.log at large, but do not have a requirement for it to index what the buckets are doing. I've been looking at different approaches to this, but I would imagine I'm not the first person to encounter this. Would it be better to tune audit.rules from the linux side? Black list some keywords in the indexers inputs.conf? Tuning through props.conf? Would really appreciate some advice on this one. Thanks!