Hello,
By default:
Splunk Enterprise decompresses archivefiles before it indexesthem. It can handle these common archivefile types: tar, gz, bz2, tar.gz, tgz, tbz, tbz2, zip, and z.
(h...
So I am trying to monitor a file on the local indexer. I am setting it up through the Web UI to be sure it works. I get the following results in my splunkd.log
05-09-2018 16:05:44.453 -0500 I...
...ead to the new indexer in order to search the data.
Is a better approach to simply stop splunkd on my indexer, create an archive of /var/lib/splunkusing an archive utility and then restoring that archive...
Hi Team,
i want to know where my archived files are getting saved as in my indexes.conf file "coldToFrozenDir = ".
currently we are keeping logs only for 30 days, but the team who is usingSplunk...
...utput is the same when there are no issues with my infrastructure. However, Splunk does not indexthefile because the contents are the same.
I have tried to add the following lines into my p...
...pps]
disabled = false
sourcetype = OHWM
index = ohwm
whitelist = apps1.*\.csv$
crcSalt = apps1.*\.csv$
ignoreOlderThan = 7d
So far Splunk failed to index those files with dates after creation o...
How can I configure Splunk to index its own conf files? Would there be any issues with doing this?
Or does Splunk already index those files, and if so, then where are they indexed?
We are trying to index a psv file into Splunk with sourcetype as "psv", but its not extracting fields from the PSV's first row. Can you please provide the config to add fields as psv header/first r...
We have license of 100GB of data for indexing per day. Client requirement is to have 60 days of searchable data after which data can be moved to frozen. below is theindexfile we configure. could u...