I learned that Splunk compresses the incoming data and creates some index files to point towards compressed raw data. How does Splunk license account for this? Does Splunk charge license for uncompressed incoming data or for the compressed raw data? ... View more

I have searched for data ingestion rate per day for a particular index using below search. And verified it with index size details for all servers in console of indexer cluster master under Distributed Management Console. But the total indexes size does not match between them. index=_internal source="/opt/splunk/var/log/splunk/metrics.log" series=indexname | eval MB=kb/1024 | search group="per_index_thruput" | timechart span=1d sum(MB) by series ... View more

May I know how exactly LINE_BREAKER_LOOKBEHIND works? I am little bit confused by the explanation given in Splunk documentation. Any example would be great. ... View more

I have a epoch time in my events: timestamp=1478787869121. How to write props.conf to extract this timestamp? ... View more

I ingested the logs data to Splunk Uat servers, it got ingested all data including the historic data, But when I ingested same data in to the Splunk Production servers, only current data is ingested. Historic data is not ingested. Is there any settings that should override to ingest historic data. I am not using "ignoreolderthan" in my inputs.conf. My forwarder currently sending data to two groups of indexers. ... View more

In inputs.conf for monitor stanza, can we write regex? If so, /opt/splunk/cgate* matches (/opt/splunk/cgateee) or (/opt/splunk/cgateabd) Can we use wildcards(*) for whitelist attribute? ... View more

I have to break events based on the hex message delimiter. When I ingest data into Splunk, it is showing as letter 'x' or whitespace between events. How do I break events at the hex message delimiter? ... View more

what is the process to move indexes from one splunk deployment controlled by deployment server A to other splunk deployment controlled by deployment server B ... View more

I have ingested the data from a log file but the events were not breaking properly. So I edited the props.conf file to fix the issue. The issue is fixed and current events are breaking properly. But how do I deal with old data which is already ingested with uneven event breaking? I have a limitation that my indexer should not be restarted since it is live. ... View more

Hi I have deployment server and all Splunk instances running under owner A and access group B in linux envirement. But one of the Splunk universal forwarder which have same access group B do not have permissions to read files that are to be ingested. The files have owner X and access group Y. But we have a limitation to add owner A or access group B to group Y at our organisation to give Splunk UF access to ingest files. so we thought to install Splunk UF under owner X and access group Y so that it has permissions to read files. But what are the issues that arise from Splunk UF running under owner X , access group Y and the other splunk instances (deployment server, indexers ,S.H) running under owner A and access group B. Can I proceed with different owner and access group for splunk UF?. ... View more

I pushed updates to inputs.conf and outputs.conf to the universal forwarder. But it is not forwarding data to the indexers. How can I fix? ... View more

I am trying to edit the serverclass.conf in the deployment server to push app to one of the forwarders. when I tried to open it I don't see any of the previous entries in the serverclass.conf except the [global] stanza. ... View more