×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
yongly
Path Finder
Member since: ‎05-07-2012
‎06-05-2020
Community Statistics
Posts 16
Solutions 0
Karma Given 8
Karma Received 3
Member Since ‎05-07-2012
Activity Feed
View All

Re: Moving from one indexer to two

by in Deployment Architecture
‎04-10-2013 01:16 AM
2 Karma
‎04-10-2013 01:16 AM
2 Karma
I would say that a combination of both would - at least in theory - give the best results, i.e. having the indexes split over more than one indexer will improve results, since the data will be retrieved from more than one source (=less work for each indexer involved). Also, depending on the data stored by each business unit, and the nature of the searches made, it could be beneficial to let each BU have its own index, e.g. if BU1 will never want to (or be allowed to) search for data from BU2, there would be little point in storing them in the same index, since that would make the relvant data being stored less densely. This becomes even more true if, for example, BU1 is responsible for 90% of the indexed events, and BU2 for 10%. Then BU2 would note a significant performance increase in the searches, since in a single index scenario 90% of the events would be 'useless'. This however also has a lot to do with whether the searches are free-text oriented or more strictly defined in terms of sourcetype, source and host restrictions. So similarly, it may be a good idea to split different sourcetypes or hosts into separate indexes. But the answer for which solution is the best is (as always): "it depends". Hope this helps, Kristian ... View more

Re: Weird issue with LDAP users and saved searches

by in Reporting
‎01-08-2013 08:20 PM
‎01-08-2013 08:20 PM
so for anyone who sees this, we worked it out to be the space in between the user names that caused the issues. Apparently this will be fixed in a couple of releases time. ... View more

Re: Routing and Filtering question

by in Getting Data In
‎08-31-2012 12:05 AM
‎08-31-2012 12:05 AM
Yeh after some testing, I found that I had to remove it to get it to recognise the [source:..] stanza. What I don't understand is why it worked with other sources and sourcetypes but not with this one? ... View more

Re: Splunk Heavy Forwarder Filtering and Windows U...

by in Getting Data In
‎07-18-2012 03:03 PM
‎07-18-2012 03:03 PM
Those identifiers are linked to the stanzas which define which transform to use so it shouldn't really be a problem. Nevertheless I did try it and it didn't work. any other ideas? 🙂 ... View more

Re: splunk ports

by in Monitoring Splunk
‎10-11-2014 02:05 PM
3 Karma
‎10-11-2014 02:05 PM
3 Karma
http://answers.splunk.com/answers/118859/diagram-of-splunk-common-network-ports.html ... View more

Re: graphing mainteance windows

by in All Apps and Add-ons
‎06-06-2012 12:02 AM
2 Karma
‎06-06-2012 12:02 AM
2 Karma
This question is related to keeping track of states. I always think of this excellent blog post on that subject: http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/ ... View more

Re: Identifying Windows hosts

by in Getting Data In
‎04-10-2013 01:36 PM
‎04-10-2013 01:36 PM
Hello yongly. Thanks very much for your response. I should have thought of the deployment monitor. I just installed it and it helped me pinpoint the problem host. Thanks. ... View more

Re: Filter Log Data on Matches

by in Getting Data In
‎07-17-2012 11:27 PM
‎07-17-2012 11:27 PM
If you want to just filter the access logs from your apache server, then you can do so by filtering on a term or regular expression just like jbsplunk has specified. I have a similar set up with a webserver sending ssl_access_log to an intermediary heavy forwarder which then filters and only forwards events with a string of /WPNotification to the indexer. Not sure what other kind of filtering you might be wanting to do?? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
Karma given to