As the title suggests, I am looking for an efficient way to consolidate multiple standalone Search Heads into single Search Head. How can I ensure all the required search artifacts get appropriately merged into single search head ? ... View more

I have a requirement to forward Okta logs to S3 buckets, in addition to ingesting into Splunk. So I see there might two ways we could forward logs to S3 buckets,  one being, during input phase, where data can be cloned and forwarded to S3 bucket ? In the outputs.conf, there is the below parameter which seems like an option that can fulfil above reqmt, however, its still under development.   remote_queue.sqs.large_message_store.endpoint = <URL> * Currently not supported. This setting is related to a feature that is still under development.Or after indexing logs into SplunkHowever, I am unsure, whether for both options, there is a clearly documented reliable process to achieve the outcome.Can please advise on this ?   ... View more

We are planning to use Infra-as-Code(IAC) for Splunk Cluster implementation. Hence, can anyone please advise if there is an api to bootstrap a SHC ? ... View more

I have a scheduled search that outputs the results every 5 minutes using the outputcsv command to local disk. The file is stored with name abc_dns.csv       index=abc |fields _time _raw |fields - _indextime _sourcetype _subsecond |outputcsv abc_dns     Then I am forwarding that file to an external Indexer inputs.conf   [monitor:///opt/splunk/var/run/splunk/csv/abc_dns.csv] index = abc_dns_logs sourcetype = abc_dns #crcSalt = <SOURCE>   Below is the props.conf   [abc_dns] INDEXED_EXTRACTIONS = csv HEADER_FIELD_LINE_NUMBER = 1 KV_MODE = none NO_BINARY_CHECK = true SHOULD_LINEMERGE = false category = structured TRANSFORMS-t1 = eliminate_header   transforms.conf   [eliminate_header] REGEX = ^"_time","_raw"$ DEST_KEY = queue FORMAT = nullQueue     When I validate the results, I am seeing data is getting duplicated on the external Indexer. I attempted to add crcSalt = <SOURCE> to check if it makes any difference, which seemed that it did initially, however, afterwhile, I saw data was getting duplicated again. In reality, there is indeed duplicate data in original logs itself, but overall I am actually seeing data from the monitored file is also getting duplicated. Can anyone please help with this ? ... View more

I have a requirement to forward search results of a query to an indexer of an external organization. The volume of this data would be fairly high. I understand there are a multiple ways to achieve this. I am thinking to use a script to run every 5 mins to grab the search results via REST API and store it locally on the disk and forward it from there via outputs.conf I also understand this would be very to do via script but only challenge is I am not that experienced with scripting stuff, hence little unsure.  Hence, wondering if anyone can please share if there would be an easier way than doing this via a script. ... View more

In my current setup, I want to forward only internal logs to Indexers in myOrg, whereas, some non-internal logs to Indexers of an external Org. Below is my current outputs.conf, however, its not working as intended. I am seeing forwarder attempting to forward non-internal logs to myOrg's indexers as well.     [tcpout] defaultGroup = Internal_indexers #disable default filters forwardedindex.0.whitelist = forwardedindex.1.blacklist = forwardedindex.2.whitelist = forwardedindex.3.whitelist = #Enable these forwardedindex.4.whitelist = (_audit|_introspection|_internal|_telemetry) [tcpout:Internal_indexers] server = index01:9997 [tcpout:OrgA_indexer] server = y.y.y.y:9997   Update: Below is inputs.conf for non-internal log [monitor://some_source.log] index = abc sourcetype = syslog _TCP_ROUTING = OrgA_indexer   ... View more

In my current setup, I am routing  some data (only non-internal indexes) from our current environment to two different Indexers outside of my Org and I dont have access to them. Is there a way to figure out what stream of data is going to which indexer ?   ... View more

I have two data sources (Syslog and Netflow) which I am collecting on a dedicated host, where I have installed a Universal Forwarder. It is acting as an intermediate forwarder.  I have to route this data to Indexers of two different organisations on their respective indexes. E.g OrgA Syslog needs to go to index=syslog_A Netflow needs to go to index=netflow_A Indexer is IndexerA:9997 OrgB Same Syslog as above needs to go to index=syslog_B Same Netflow as above needs to go to index=netflow_B Indexer is IndexerB:9997 MyOrg Only Splunk internal logs to IndexerMyOrg Because this routing is based on metadata, I believe, I should be able to achieve this using universal forwarder. Can someone please advise how I can achieve this ?   ... View more