I've been trying to package the app using the package toolkit and found an interesting issue. I have an older manifest file that now has been updated with the platform requirements section:
and now when I run python -m slim package app-folder I'm getting this error:
Version requirement includes no supported version of Splunk Enterprise: >=8.0.0
I'm not really sure what that means, could someone explain? If I remove that section, it will package the app just fine. My guess is that section is not really necessary in order to publish the app, as the supported platform version could be set on the Splunkbase page, if I'm not mistaken?
... View more
I am developing a Splunk app and just wanted to hear for someone what is considered to be the best practice when it comes sending events to Splunk, to be processed and indexed.
Basically, I am concerned that sending events into Splunk as soon as they are available would take a toll on the indexer because there will be constant flow of data every few seconds, but on the other hand, waiting for all data to come in and then index, is not an option because events could be coming in for days, and I can't wait so long to see the data in the system. So, my best guess is to set a cap on the number of events that would be indexed at a time, so for example, I would wait for 10000 events to accumulate and then send them into Splunk for processing. Could someone offer advice on this ?
... View more
I have been looking into how to export events from one index, modify the data(as the original event data contain wrong values) and then import those events into another index. By following the accepted answer on this link https://answers.splunk.com/answers/25174/how-to-export-import-events-from-indexes.html, I have managed to export bucket data and make modifications, but when I tried to import the data there was an error:
./splunk cmd importtool /opt/splunk/var/lib/splunk/test_index/db path/to/exported_events.csv
Using logging configuration at /opt/splunk/etc/log-cmdline.cfg.
ERROR IndexConfig - Asked to check if idx= is an index with a remote storage, but that index does not exist on the system or is disabled
Successfully imported 333 events into bucket.
Please ensure this bucket resides in a valid index and restart Splunk to recognize the new events.
Although it says that 333 events were imported, after checking the index, it is still empty. Restarting Splunk didn't help neither. I have tried a couple of more times the same thing with newly created indexes, but each time I get the same error:
ERROR IndexConfig - Asked to check if idx= is an index with a remote storage, but that index does not exist on the system or is disabled and end up with an empty index.
Is there something that I have missed here?
... View more