cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
fabien_picard
New Member
Member since: ‎01-23-2018
‎06-05-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎01-23-2018
Activity Feed
View All

Re: indexer : local events vs incoming events

by in Getting Data In
‎01-26-2018 01:10 AM
‎01-26-2018 01:10 AM
I suppose I didn't manage to express myself correctly. Let's try again: The splunk indexer is a role that is installed on a machine. The indexer is receiving logs from other machines called (most of the time) Universal Forwarders (UF) All the settings in props.conf and transforms.conf on the indexer are meant to be applied to the incoming logs in order to filter/change/reroute/index/drop/etc those logs/events from UF BUT the indexer is also a machine that is generating logs. Let's call them local logs. What settings are used to deal with the local logs ? Is there a inputs.conf for the local logs ? How can I filter local logs without interfering with the filtering of incoming logs from the UF ? Should I configure a UF on the indexer in order to inject logs into itself ? (that's nonsense, but for the sake of the comprehension) Is there a unique setting for all logs (incoming & local) ? /etc/system/local ? ... View more

indexer : local events vs incoming events

by in Getting Data In
‎01-23-2018 02:38 AM
‎01-23-2018 02:38 AM
Hi, when working on the indexer machine: how do I know if a specific configuration (like a input monitor stanza) is applied to the incoming events received from the remote UF or if it's applied to the local generated events ? how can I separate these settings ? Example: Indexer installed on Windows, I want to exclude event 4662 from localhost but not from the events received from UF. Are there two monitor defined ? Where ? What if I already applied a blacklist filtering on the UF? A second filtering will be again applied on the indexer ? Thanks ======================================= I suppose I didn't manage to express myself correctly. Let's try again: The splunk indexer is a role that is installed on a machine. The indexer is receiving logs from other machines called (most of the time) Universal Forwarders (UF) All the settings in props.conf and transforms.conf on the indexer are meant to be applied to the incoming logs in order to filter/change/reroute/index/drop/etc those logs/events from UF BUT the indexer is also a machine that is generating logs. Let's call them local logs. What settings are used to deal with the local logs ? Is there a inputs.conf for the local logs ? How can I filter local logs without interfering with the filtering of incoming logs from the UF ? Should I configure a UF on the indexer in order to inject logs into itself ? (that's nonsense, but for the sake of the comprehension) Is there a unique setting for all logs (incoming & local) ? /etc/system/local ? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM