cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
karthikm
Loves-to-Learn Everything
Member since: ‎07-23-2023
‎09-15-2023
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎07-23-2023
View All

Is it possible to have WarmData stored partially o...

by in Getting Data In
‎09-14-2023 06:57 PM
‎09-14-2023 06:57 PM
Is it possible to have WarmData stored partially on local indexers' storage and partially on remote storage? My total retention period is 90 days but I would like to keep data for the first 45 days on local indexers as warm buckets and then send the warm buckets to AWS S3 bucket to store for another 45 days. I am using the below settings and the data sent to the S3 afrer 90 days and is stored in frozen instead of warm or cold. How can I set warm or cold data in S3? [default] remotePath = volume:remote_store/$_index_name repFactor = auto frozenTimePeriodInSecs = 7776000 If I change the frozenTimePeriodInSecs = 1555200 (45 days) the data will be sent to S3 after 45 days but it will be sent in frozen buckets. I need to send data either as warm or cold buckets. If I setup  [volume:local_store] maxVolumeDataSizeMB = 1000000 That will send data to S3 only after filling 1 TB in local storage.  How can I maintain a time based storage with 45 days on local storage and 45 days on remote storage? ... View more
Labels

Re: Change Index for some HEC data

by in Installation
‎08-28-2023 06:00 AM
‎08-28-2023 06:00 AM
Hi @gcusello, yes it's distributed on-prem installation. I am not using any add-on for ingesting data. I am using HTTP Event Collector Token to send AWS Cloudwatch logs to Splunk indexers (using load balancing). From the GUI it's possible to select multiple indexes but use only the default index as the log index. So far all the logs are going to the default index and I don't see an option in the HEC settings or GUI where I can change the index name for partial logs coming through the HEC. I tried overriding the index value as you mentioned, but it doesn't work.  Any idea what's wrong in the below config? props.conf [source::syslogng:dev/syslogng/*] TRANSFORMS-hecpaloalto = hecpaloalto disabled = false transforms.conf [hecpaloalto] DEST_KEY = _MetaData:Index REGEX = (.*) FORMAT = palo_alto ... View more

How to Change Index for some HEC data?

by in Installation
‎08-28-2023 02:53 AM
‎08-28-2023 02:53 AM
I have a HEC and I am receiving logs from CloudWatch and the default index is set to "aws". From the same HEC token I am also receiving Firewall logs from CloudWatch and these logs are also going to the index "aws". How can I transform the Firewall logs coming from the same HEC token from a different source to be assigned to index "paloalto"? I tried using the below config but it doesn't work props.conf [source::syslogng:dev/syslogng/*] TRANSFORMS-hecpaloalto = hecpaloalto disabled = false transforms.conf [hecpaloalto] DEST_KEY = _MetaData:Index REGEX = (.*) FORMAT = palo_alto I created the index palo_alto in the cluster master indexes.conf, applied cluster bundles to the indexers. And also applied the above config using deployment server to the Indexers. For some reason the logs are still going to the aws index. ... View more
Labels

Change Index name of some data from HEC

by in Getting Data In
‎07-23-2023 09:47 AM
‎07-23-2023 09:47 AM
I have a HEC token sending various logs from AWS Cloudwatch. HEC token is set to have two indexes paloalto and aws. And all the data is going to the default index aws. I want all the data from the source=syslogng to be sent to index=paloalto instead of index=aws. Should I change the inputs.conf or props.conf for the splunk_httpinput in the deployment apps? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎09-15-2023 12:45 AM