Hi @Sir_Redan, it's usually usefule to clone a Splunk installation only for Forwarders, for Splunk servers, I think that' easier to make a new installation and configure the new server as you need. I say this because you should create a clone for each role (Indexer, Search Head, Heavy Forwarders, etc...) and then manually customize the clone: it's easier to install by scratch the new Splunk Server. Ansible is usually used for Forwarders, because there's no sense to use Ansible for Splunk Servers. About Splunk configuration files, only few of them ar in $SPLUNK_HOME/system/local: they are usually distributed in many folders in $SPLUNK_HOME/etc folder. Ciao. Giuseppe ... View more

HI @Sir_Redan, if you want to restrict access to some Splunk data by dashboard, it's possible to create special dashboards to limit the access to data to some roles and so to some users. Instread it isn't possible to limit access to Splunk data by search because access to indexes i managed by role, so if a role has access to an index,its users can access all the events in that index. In this case the only way is to create different indexes for each level of access. This is one of the two main reasons to create different indexes instead only one for all data (the secondis the data retention). About already indexed data, the situation is the same, it isn't possible to limit search access to an index, so the only way is reindex all data 8if possible). About distribution to different indexes based on host value, you have two ways to do this (only for new data): use different inputs.conf (and different TA and ServerClasses) for different groups of hosts on Forwarders, override the index value by host on Indexers (https://community.splunk.com/t5/Getting-Data-In/How-can-I-override-an-index-name-based-on-sourcetype/m-p/161444) Ciao. Giuseppe ... View more

Hi, I don't know if this is feasible for you but you should be able to rename a sourcetype based on regex (as described here https://community.splunk.com/t5/Splunk-Search/Changing-sourcetype-with-regex/m-p/155058#M43613). With this you could use the default xml sourcetype and the original sourcetype with the rest of your data. I am not sure about the long xml thought. ... View more

Hi @Sir_Redan, the answer of @richgalloway is the full explanation of how DMC works: all logs from all Splunk servers are sent to Indexers, DMC is an additional Search Head that make searches on Indexers and displays results about all Splunk machines of your infrastructure, it doesn't directly query the other machines. In addition I can only add the link to the documentation that you can read https://docs.splunk.com/Documentation/Splunk/8.2.6/DMC/DMCoverview Ciao. Giuseppe ... View more

Just used this solution when upgrading from 8.0.3 to 8.2.6 Splunkd "disappeared" and only existed as a backup file named /etc/systemd/system/Splunkd.service_YYYY_MM_DD_HH_mm_SS ... View more