I usually do that data onboarding process with separate splunk dev/test instance to set up props.conf & transfers.conf correctly. Install e..g splunk trial version to your workstation/some server (you could use also developer or dev/test license for longer period) Get some sample data from your onboarding system Use Splunk -> Settings -> Add Data Upload Select file (your sample file) Next Update as need the next settings Event Break Timestamp Advanced When your events have handled properly remember save your new sourcetype definition with "Save As" button Next -> Select host + index -> Review -> Submit Then search events and do fixes and fine tunings if need as many times as need. You could remove events from your test index for meshing up things or use different host name to separate versions After you are happy with those events then just copy your props.conf, transforms.conf and create separate TA_xyz for those. Then install it to first full splunk instance counting from UF Time by time there could be some definitions on props.conf which need also install to UF too! Also you could test if there are some search time props/transforms and develop those also on this host/environment. Later on install those onto your production I hope that this clarify what I'm meaning for onboarding? r. Ismo
... View more
