×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Nicolas2203
Path Finder
Member since: ‎10-05-2023
Thursday
Community Statistics
Posts 27
Solutions 0
Karma Given 10
Karma Received 0
Member Since ‎10-05-2023
Activity Feed
View All

Re: Redirecting specific logs using a regex

by SplunkTrust in Getting Data In
‎05-06-2025 12:56 AM
‎05-06-2025 12:56 AM
The CLONE_SOURCETYPE option in a transform causes Splunk to create a copy (at this moment of the ingestion pipeline, so all the state of the event at this point is retained) of the processed event, changes its sourcetype to the one specified in the CLONE_SOURCETYPE option and reingests the event back at the (almost) beginning of the pipeline (skipping the initial phases of line breaking and time recognition). See the usual https://community.splunk.com/t5/Getting-Data-In/Diagrams-of-how-indexing-works-in-the-Splunk-platform-the-Masa/m-p/590774 CLONE_SOURCETYPE is called from a transform in the typing phase. The original event is processed without changes as if the transform containing the CLONE_SOURCETYPE option wasn't there. But the copy is moved back to the typing queue and starts the whole typing phase with a new sourcetype and triggers completely new set of transforms according to the new sourcetype (and possibly new source and host if they were overwritten during the initial transforms run).   ... View more

Re: Deleting datas on one index after routing them...

by in Getting Data In
‎02-21-2025 07:49 AM
‎02-21-2025 07:49 AM
Hello @livehybrid , yes, data are still getting in the original index and they contain "TheAppResourceGroupName"   ... View more

Re: Splunk multiple heavy forwarders and Splunk Ad...

by SplunkTrust in All Apps and Add-ons
‎10-17-2024 03:23 AM
‎10-17-2024 03:23 AM
Hi @Nicolas2203 , ok, good for you, let me know, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉 ... View more

Re: indexer cluster : colddb moved on a san share

by in Deployment Architecture
‎07-24-2024 01:05 AM
‎07-24-2024 01:05 AM
The storage will on a DELL EMC storage, and considering the splunk recomandations and the SAN caracteristics, it will work smoothly, on the paper. I will test with few index and check Thanks a lot for your help ! ... View more

Re: Sourcetype cloning - logs stopped

by in Getting Data In
‎04-11-2024 06:16 AM
‎04-11-2024 06:16 AM
Ok, to be honest I had to check more on the config to properly clone and forward my datas, the behaviour of the conf it's strange. But thanks a lot for your help, I appreciate ! ... View more

Re: Noob question about btool and conf file preced...

by SplunkTrust in Splunk Enterprise
‎02-15-2024 10:08 AM
‎02-15-2024 10:08 AM
As I said earlier, the output from btool is *everything* Splunk will use.  Btool has already selected the appropriate files based on what is available in apps and defaults after applying file precedence rules. IOW, Splunk will use *all* of the outputs.conf files listed by btool, not just the first. ... View more
Contact Me
Online Status
Offline
Date Last Visited
Thursday
Karma given to