hi all - we are starting to build our Splunk as our SIEM, and beginning to link and chain info together. we are setting up a few new indexes to store what i think should be collected or post p...
for a small scale distributed (30GB p/d) splunk instance with indexes currently on one disk.
Planning to introduce SSD for hot\warm index.
I have read various posts and
If we were to configure...
In the documentation about using summaryindexes it says at step 8:
Select a summaryindex. The default
summaryindex is named summary. The
list only displays indexes to which
you have p...
...hysicals for indexers, of course). Our license volume is currently around 10-15GB/day, but we just moved to a 50GB/day license and are expanding to new applications.
I've read through
http://d...
...s not matching according to 2 outputs.. below is my code:
index=_internal source=*metrics.log group=per_index_thruput earliest=-24h@h NOT (series=_* OR series=*summary) | timechart span=2h sum(e...
Be careful when you set size-based retention limits for your indexes so they do not take up too much disk storage space. By default, report acceleration summaries can theoretically take up an u...
Is there a way to include more than one indexer for scheduled searches that write to a summaryindex?
The scheduled search UI does not have it. I am not sure if this can be done via Splunk c...