Today we want to have a look at an index parameter and how it is affecting storage size and performance. In indexes.conf.spec you find the parameter tsidxWritingLevel. This parameters will configure how splunk creates index files over your rawdata within a bucket. The parameter was introduced in v7.2 and updated in v7.3 and v8.1. This also sets the minimum splunk version for a bucket index, meaning you will not be able to read buckets created on v8.1 with level 4 on a v8.0 system.
After a while we want to restart the blog series. Today we want to show how to recover data in splunk which had been deleted using the "| delete" command.
Even if “| delete” is not a very common command, it’s used from time to time to clean up unwanted events. So what happens if you delete data by mistake? How to recover those events when the docs say it’s not possible?
Today we released an enhanced version of the collectd app for Splunk. As the app is using metric index and enhanced mstats command, you will need to use Splunk Enterprise version 7.1.
As some of you know we love these small Mikrotik boxes running RouterOS. They are offering a rich feature set and functionality at a very reasonable price. We also love Splunk.. so it makes perfect sense to import RouterOS data into Splunk. To have greater value of your data we’ve created a Splunk Technology Add-On for RouterOS.
Data is extracted for the Splunk CIM data models network traffic, name resolution (DNS), DHCP and authentication.
Yesterday I had a discussion with a colleague if we should switch the indexing of Windows Eventlogs to XML. He mentioned that he was told that it’s faster, needs less data volume and language agnostic.
As I couldn’t imagine that something with the abbreviation “XML” in it could be something like “small” and “fast” I decided to do a test.