I was under the impression I could define sourcetypes in props.conf on the forwarder, which would then send that data and the sourcetype information to the indexers. It looks like it does this, at l...
...eason is because I need thedata NOT only viewable in theSplunk Web but also need it defined/assigned correctly on the backend for further and separate processing.
Do I need multiple indexers? If s...
The purpose of this topic is to create a home for legacy diagrams on how indexing works in Splunk, created by the legendary Splunk Support Engineer, Masa! Keep in mind the information and diagrams i...
...o the parsing pipeline, where it undergoes event processing. It then moves to the indexQueue and on to the indexing pipeline, which builds the index, or is it a different queue process?
If for e...
Does anyone have any good resources about indexes and index management?
Before I set up a bunch of indexes, I'd like to know more about thehow indexes impact my deployment.
I'm putting together materials for new users to our Splunk Enterprise environment. Can you point me toward some resources to get new users acquainted with Splunk Enterprise basic anatomy and function?
It's almost time for Splunk’s user conference .conf23! This event is being held at the Venetian Hotel in Las Vegas and the Customer Success team couldn’t be more excited to have the chance to c...
I found the following configuration in my indexers
[queue]
maxSize = 500KB
[queue=AQ]
maxSize = 10MB
[queue=WEVT]
maxSize = 5MB
[queue=aggQueue]
maxSize = 1MB
[queue=f...
...ases, 77% say Splunk is helping improve threat detection throughdata correlation, and 69% say it has shortened investigation cycles.
In application development use cases, Splunk has helped the m...
Hello,
We are trying to achieve one-click deployments with Splunk applications. Our desired workflow is below:
1) we develop the app and push the changes to the develop branch
2) we have a pipeline...