I was under the impression I could define sourcetypes in props.conf on the forwarder, which would then send that data and the sourcetype information to the indexers. It looks like it does this, at l...
...eason is because I need thedata NOT only viewable in theSplunk Web but also need it defined/assigned correctly on the backend for further and separate processing.
Do I need multiple indexers? If s...
The purpose of this topic is to create a home for legacy diagrams on how indexing works in Splunk, created by the legendary Splunk Support Engineer, Masa! Keep in mind the information and diagrams i...
...o the parsing pipeline, where it undergoes event processing. It then moves to the indexQueue and on to the indexing pipeline, which builds the index, or is it a different queue process?
If for e...
Does anyone have any good resources about indexes and index management?
Before I set up a bunch of indexes, I'd like to know more about thehow indexes impact my deployment.
I found the following configuration in my indexers
[queue]
maxSize = 500KB
[queue=AQ]
maxSize = 10MB
[queue=WEVT]
maxSize = 5MB
[queue=aggQueue]
maxSize = 1MB
[queue=f...
Hello,
We are trying to achieve one-click deployments with Splunk applications. Our desired workflow is below:
1) we develop the app and push the changes to the develop branch
2) we have a pipeline...