You could probably start indexing without too much hassle. You don't need to configure anything, but you could avoid a few problems down the line by ensuring that timestamps and sourcetypes are correct.
First - create a dummy test index and upload an Oracle Alert file there to check the following:
are timestamps recognized correctly?
does splunk set a sourcetype name you can live with?
If not, you'd need to fix this before you start to send the files to the production index.
This is done in props.conf and inputs.conf, respectively. The inputs.conf deal with things happening during the input phase, so if you have any type of forwarder, you should edit the inputs.conf there. props.conf settings are handled in several phases, but timestamping settings should be configured on the forwarder only if you have a full forwarder. If you have UF or LWF, or no forwarder at all, this is configured on the indexer.
Some of the following might help you;
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
http://docs.splunk.com/Documentation/Splunk/latest/Data/WhatSplunkcanmonitor
hope this helps,
Kristian
Hola, lo conseguiste? como pudiste mandar el log de 'alert' a un índice? Tengo la aplicación Splunk_TA_oracle es un Heavy Forwarder pero no se como recibir datos. Me podrías indicar los pasos?
Muchas gracias y un saludo.
You could probably start indexing without too much hassle. You don't need to configure anything, but you could avoid a few problems down the line by ensuring that timestamps and sourcetypes are correct.
First - create a dummy test index and upload an Oracle Alert file there to check the following:
are timestamps recognized correctly?
does splunk set a sourcetype name you can live with?
If not, you'd need to fix this before you start to send the files to the production index.
This is done in props.conf and inputs.conf, respectively. The inputs.conf deal with things happening during the input phase, so if you have any type of forwarder, you should edit the inputs.conf there. props.conf settings are handled in several phases, but timestamping settings should be configured on the forwarder only if you have a full forwarder. If you have UF or LWF, or no forwarder at all, this is configured on the indexer.
Some of the following might help you;
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
http://docs.splunk.com/Documentation/Splunk/latest/Data/WhatSplunkcanmonitor
hope this helps,
Kristian
Please mark the question as 'answered' by clicking the check mark (a/o vote up) if you've found this helpful.
/k
Thank you sir. I was able to set up the new sourcetype without any configuration to props.conf but will look into your recommendations.