×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
srikarmohan
Observer
Member since: ‎09-06-2018
‎11-30-2021
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎09-06-2018
View All

Extracting fields from Source (Index Time v/s Sear...

by in Splunk Search
‎11-30-2021 02:07 PM
‎11-30-2021 02:07 PM
Hello, We are including the Pod Namespace and Pod Name in the Log Source (for K8s deployments) and would like these fields (Pod Namespace and Pod Name) to be extracted. source: /var/lib/kubelet/pods/*/volumes/kubernetes.io~empty-dir/$(Volume Name)/$(POD_NS)/$(POD_NAME)/*.log Most of our searches (including saved searches) will leverage both, if not atleast one of the two, fields and we were wondering if it is better (performance wise) to do the field extractions at Index Time or at Search Time. It looks like the general practice is to opt for Search Time extraction, however there are may be cases where Index time extraction is preferred. The examples for using Index time extraction mentioned here (https://docs.splunk.com/Documentation/Splunk/8.2.3/Data/Configureindex-timefieldextraction) are not very clear, it seems like the 1st example might apply to our use case and so Index time might be preferred? Thanks, Srikar ... View more
Labels

Re: Will the below properties help us reach the fo...

by in Deployment Architecture
‎09-17-2018 12:26 PM
‎09-17-2018 12:26 PM
Hi Rich, thank you for your prompt response. Since I was using the sizing app which takes the raw size and adds the compression/metadata size factor into account the numbers were off (ex: 1Gb/day for 5 days was resulting in value 2559MB instead of 5GB) but based on your output the calculation looks straight forward. Thanks! ... View more

Will the below properties help us reach the follow...

by in Deployment Architecture
‎09-17-2018 11:25 AM
‎09-17-2018 11:25 AM
Hello, I went through a few forum posts and Splunk documentations on retention settings but it's still not 100% clear on which properties are needed and what their values should be. Would greatly appreciate everyone's help with this topic. For example: lets say on an average, Index X stores 1 GB data/day and we want to keep the data in Hot/Warm for 5 days and in Cold for 365 days then will the properties below help in achieving the data retention goal? We have 3 nodes with RF and SF set to 3. The properties below were generated by the sizing app. [X] homePath = volume:primary/X/db coldPath = volume:secondary/X/colddb homePath.maxDataSizeMB = 2559 --> ~2.5 GB --> Specifies the maximum size of the directory <>/X/db and if this size is exceeded, Splunk will move buckets with the oldest value of latest time (for a given bucket) into the cold DB until homePath (<>/X/db) is below the maximum size coldPath.maxDataSizeMB = 184319 --> ~184 GB --> Specifies the maximum size of the directory <>/X/colddb and if this size is exceeded, Splunk will freeze buckets with the oldest value of latest time (for a given bucket) until coldPath is below the maximum size. maxWarmDBCount = 100 --> The maximum number of warm buckets default it 300 but we want to limit it to 100 frozenTimePeriodInSecs = 31536000 --> 365 days --> Number of seconds after which indexed data rolls to frozen. If you do not specify a coldToFrozenScript, data is deleted when rolled to frozen maxDataSize = auto --> The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Default will be 750MB/bucket maxHotSpanSecs=432000 --> 5 days --> Upper bound of timespan of hot/warm buckets in seconds. Thanks! ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎11-30-2021 05:30 PM