×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
davidocsch
Loves-to-Learn
Member since: ‎11-23-2016
‎09-17-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎11-23-2016
View All

Re: How should I configure Splunk Add-on for Unix ...

by in All Apps and Add-ons
‎11-23-2016 09:55 AM
‎11-23-2016 09:55 AM
When you first start any monitor input, Splunk reads the existing files and directories. Typically, there are weeks of data in these files and it will take a while for Splunk to "catch up." So in the beginning, Splunk will be indexing much more data than normal. If this is a problem for you, I suggest: 1. Identify the files and directories being monitored. One of them is probably /var/log 2. Go to each file/directory mentioned and "tidy it up." In particular, /var/log may have many old files that could be deleted. Or at least, if you don't want Splunk to index the file, move it to another directory, like /var/oldlogs 3. Disable any monitor inputs in the linux app that you want to ignore ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎09-17-2020 03:23 PM