Hot and warm are always in the same directory, however your cold buckets can be stored in a different location. This can be configured per index in the indexes.conf file by changing the homePath and coldPath settings. Take a look at the documentation here: http://docs.splunk.com/Documentation/Splunk/7.0.0/Indexer/Configureindexstorage As an alternative on Windows, you can specify that a disk be mounted in a directory, as well as being a separate drive. This means you can keep the default directory structure of Splunk without having to adjust your indexes.conf files, but still browse to the data via drive letter. Have a look at the following technet article for details on how to do this: https://technet.microsoft.com/en-us/library/cc753321(v=ws.11).aspx ... View more

Since your data is already in CSV format, you can enable CSV extraction using the header row as the field names. Your props.conf should look like this: [ csv_custom ] DATETIME_CONFIG=NONE INDEXED_EXTRACTIONS=csv FIELD_DELIMITER=, Note: You will need to distribute this config to the universal forwarders as well, since they need the configuration to correctly read the CSV file. Are you doing this, or are you only placing the config on the indexer? This config appears to work correctly for me (I added the missing make field into the data): ... View more

No unfortunately, as the authentication system is the same for both internally. I would recommend creating a local admin user for each administrator, using something like DennisFFM_admin , vs your normal DennisFFM account. This way you can have local authentication on the cluster with auditing tied to the user, but still log into the web interface with SSO. ... View more

Extract a field from an existing field automatically: You can use a field transform to automatically extract a new field from an existing auto-extracted field (this lets you choose a source key to extract from). In the GUI, go to Settings --> Fields, then Field Transformations. Click New, then fill in the fields and click Save. The transformation will work automatically for all new searches in the relevant app context. Extract a field from the raw data automatically: If you need to automatically extract a new field from _raw in the first place, we would recommend using automatic extractions. Note that this will work on _raw, so your regex will be a little different - it will have to match on data from the whole event, so you might need something closer to FieldToExtractFrom:(?<ExtractedField>\d+) as your regex (using your example). You can access this from the GUI by going to Settings --> Fields, then Field Extractions. Click New, then fill in the fields and click Save. The extraction will work automatically for all new searches in the relevant app context. Extract data inline from a field with rex: For once off extractions, you can use rex inline, like so: | rex field=FieldToExtractFrom "(?<new_field_name>regexhere)" As an example, say you wanted to extract the first name from a name field, where you have name="First Last" , you could use: | rex field=name "^(?<first_name>\w+?)\s" Which would extract the first name and put it in a new field called first_name . If you have an example to post then I might be able to give a more specific answer for your use case, but I hope this helps. ... View more