×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
prasadjvv522
Explorer
Member since: ‎09-22-2014
‎06-05-2020
Community Statistics
Posts 9
Solutions 0
Karma Given 0
Karma Received 1
Member Since ‎09-22-2014
Activity Feed
View All

Re: how to convert the raw data into index ?

by Splunk Employee in All Apps and Add-ons
‎10-10-2014 07:47 AM
‎10-10-2014 07:47 AM
Hum this is the core of the product, it indexes events, and store them into buckets (the rawdata folder), and creates tsidx (timeseries index pointer) to make them searchable. (in case of replication, not all copies are searchable) The format and process are of course proprietary, but you can find some details of the different pipelines involved. http://docs.splunk.com/Documentation/Splunk/6.1.4/Deploy/Datapipeline For the collection they are many way : see http://docs.splunk.com/Documentation/Splunk/latest/Data/WhatSplunkcanmonitor local monitoring : inputs monitoring files and folders remote monitoring for windows : WMI inputs or AD monitor network inputs : udp or tcp ports are listening on the indexers, by example for syslog on pot 514. forwarding : the indexers have a listening port (splunktcp on port 9997 by example), and forwarders agents on remote servers are monitoring and sending data. see http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Aboutforwardingandreceivingdata see http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Distributedoverview in case of doubt, run a btool on the inputs, or use the SOS app metrics dashboards to identify forwarders. ./splunk cmd btool inputs list --debug http://docs.splunk.com/Documentation/Splunk/6.1.4/Troubleshooting/Usebtooltotroubleshootconfigurations ... View more

Re: How to aviod or figure out pool size in Splunk...

by in Security
‎10-09-2014 06:04 AM
1 Karma
‎10-09-2014 06:04 AM
1 Karma
You can't change what that host has already logged in the past. You would only be able to change what it is logging going forward by modifying the inputs.conf on that host. You can determine which source on that host is consuming the most with a search like this (sub in the hostname of the offender); index=_internal source=*license_usage.log h=yourhost | chart sum(b) as size by s | sort -size ... View more

Re: what is the Index process ?

by Splunk Employee in All Apps and Add-ons
‎09-23-2014 06:22 AM
‎09-23-2014 06:22 AM
here is some information in the documentation about licensing and license violations: http://docs.splunk.com/Documentation/Splunk/6.1.3/Admin/HowSplunklicensingworks here is some information about how to get data into Splunk: http://docs.splunk.com/Documentation/Splunk/latest/Data/WhatSplunkcanmonitor ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
View All