Recently I've been handed the administration of the Splunk application as the person who had architect and deployed our installation left the company. I understand and am functional when searching, dashboards, etc, but when it comes to forwarder configuration and understanding what data is coming in I'm slightly lost. Basically I have two main questions:
1. How do I determine how a forwarder is configured on a unit that is already deployed.
2. How can I understand what data is coming in? It is felt that we are using more of our license than we have expected and want to tone back some of the data that is being captured, but first we need to understand where it is coming from.
Our installation is mostly on Linux, which does nothing to help my understanding, but we are monitoring an almost entirely Windows environment.
If anyone can point me to some good documentation that may answer these questions I would appreciate it.
Also having trouble with the Splunk-On-Splunk application, when I try to access it it tells me to install sideview utils, which are already installed.
... View more