Hi, I have to send results to the database from Splunk using Splunk DB Connect. But in documentation it is given that for every execution only the updated results will added to database table. Is it possible to clear all rows in database and add all results (old and new) for every execution? ... View more

I need only fields that are extracted during index_time which are added to _meta. How to search for them so that search is faster ... View more

We have installed Splunk DB Connect on one search head. After establishing the connection and identities, where is the indexed data stored on Splunk (search head or on indexers)? How is the license usage calculated? ... View more

In splunk doc it is mentioned that** [[[Note**: In this example, the order of the transforms in props.conf matters. The null queue transform must come first; if it comes later, it will invalidate the previous transform and route all events to the null queue. In props.conf: [source::/var/log/messages] TRANSFORMS-set= setnull,setparsing 2. In transforms.conf: [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = [sshd] DEST_KEY = queue FORMAT = indexQueue]]] why we need to put nullqueue transform first and index queue later? Putting setnull transform first do not delete events before going to setparsing transform? ... View more

Hi, I have an Index, home path= /data/splunk/indexes/home/index_name/db cold path = /data/splunk/indexes/cold/index_name/db thawed path= $Splunk_DB/index_name/ $Splunk_DB=/opt/splunk/var/lib/splunk I have to move this index to new indexer cluster. Usually in the documentation it is given to move data in Splunk_DB to new location when you want to move indexes. But my data locations are different (not in Splunk_DB). May I know more about what is the procedure? Moreover I see .dat files in $SPLUNK_DB. what is the significance of those files? Description from other duplicate question: How to move index to new cluster where data is in one location(/data/splunk/indexes/.../index_name/db) and .dat files and thawed path in other location(/opt/splunk/var/lib/splunk). ... View more

We want to build a search head cluster. May I know which storage is preferable: SAN or local drive? And why? ... View more

After we retrieve the data from the database, can Splunk DB Connect reformat data before indexing? ... View more

How to find out what SIM model is established for the security logs in Splunk? ... View more

I have to set one search head at a primary data centre and another at a DR (Disaster Recovery) data centre. What things need to be setup for DR search head that replicates original search head and can be used immediately during Disaster Recovery? ... View more

we have 10 indexers with 16 CPU cores each. Our replication is 4 base_searches=6 and max_searches_per_cpu =1. I am getting an error stating "system wide concurrent searches has be reached, maximum=38 current=38". I assume that if indexer has 16 cores, system wide limit should = base_searches+max_searches per_cpu*number of cpu=6+1*16 =22 But why I am getting the error with 38 limit? ... View more

I would like to archive the data older than 1 year. I have a single storage device to store archived data. Can we use use single storage to archive the index data coming from all indexers? or do we need separate storage for each indexer to archive data? ... View more