I have a Splunk Enterprise Cluster that doesn't get new data ingested anymore. But the existing indexes should remain searchable for a while still. Since search usage is only sporadic I'd like to save on infrastructure cost and hibernate the whole cluster. Only bring it up again when someone needs to search the old data, and hibernate the cluster again.   How would I do this best? My environment consists of search head cluster with 2 members and an indexer cluster with 6 members. My understanding is, as soons as I start to stop indexers, the cluster would try to rebalance the data in the remaining indexer nodes. That seems suboptimal since I need to stop all the instances eventually and don't want to end up with a single indexer node holding all the data.   Any ideas?   ... View more

I have a Splunk Enterprise installation and a Splunk Cloud stack. I want to migrate logging from Enterprise to Splunk Cloud. My EC2-Machines have an old Splunk Forwarder installed and are forwarding to the Splunk Enterprise instance. The log file I'm ingesting is JSON format, but each line contains a SYSLOG prefix. This prefix seems to be stripped out by Splunk Enterprise from what I can tell. The sourcetype of the log is a custom type which is NOT explicitly defined on the Splunk Enteprise server. Since the log is JSON, no explicit field extraction is needed. the log events are just JSON messages and are properly extracted. Now I've changed the outputs.conf on the EC2 machine to send the logs to Splunk Cloud. Nothing else changed. Splunk Cloud indexes the events and the SYSLOG header shows up in Splunk Cloud. Thats why the event doesn't seem to be recognized as JSON and field extraction is not working. Any idea how to tell Splunk Cloud to Strip the SYSLOG header from these events? And especially... why this was working apparently automatically on the Splunk Enterprise side? Both Splunkn installations have the Splunk Add-On for Unix installed, which seems to contain configuration for stripping SYSLOG headers from events. But I don't understand yet, how these come into action. My inputs.conf: [monitor:///var/log/slbs/tors_access.log] disabled = false blacklist = \.(gz|bz2|z|zip)$ sourcetype = tors_access index = torsindex There is no props.conf or transform.conf on the EC2 machine with the Splunk forwarder for this app (and if so, that should have kicked in when I change the output to Splunk Cloud). ... View more

I tried to determine the size of my indexes in preparation for a Splunk Cloud Migration. I figured I could use the "eventcount" command to summarise the used index storage: | eventcount summarize=true index=* report_size=true | eval sizeGB=round((size_bytes/1024/1024/1024),2) | eval ddasUnits=(sizeGB/500)    Then I let this command also run in one of my existing Splunk Cloud stack and expected the number to roughly match what the SPlunk Cloud Monitoring console would display for DDAS storage usage. But the numbers differ wildly. Eventcount reports something like 323 TB and DDAS usage reports 590 TB.  Wh ... View more