Getting Data In

How do I populate my sources, source types and hosts tables?

remmerson
Engager

For quite a while, I've been attempting to make an identical deployment of a Splunk Enterprise instance.
The original one I have is working just fine, however I've tried multiple ways to get the exact same data from the original deployment into the new deployment, with little success. The data inputs I have entered are pretty much exactly the same as the original, however I've only got one entry under 'Sources', one entry under 'Source types' and one entry under 'Hosts' on the new deployment.
In contrast, the original deployment has 231 entries under 'Sources', 3 entries under 'Source types' and 90 entries under 'Hosts'.

The most recent thing I have tried is follow this article to try and get the sourcetypes in (http://docs.splunk.com/Documentation/Splunk/5.0.3/Data/Createsourcetypes) to no avail.

I would appreciate any advice for trying to get this data into the new deployment of Splunk. Let me know if you have any other questions. Cheers.

0 Karma

jtrucks
Splunk Employee
Splunk Employee

Those lists aren't in a table, they are gathered from searching your existing indexed data. If you are not ingesting the same sources and source types from the same hosts, the lists will be different. Those three items are simply fields like any other from your data in Splunk.

If you want to replicate your entire Splunk ES instance, copy the whole $SPLUNK_HOME folder, then change configs as needed for the new hostname or other items needed. This will copy your existing data and the lookups needed to match your current installation.

--
Jesse Trucks
Minister of Magic

remmerson
Engager

Thanks for you answer, however, doing a migration doesn't exactly fulfil the criteria I am trying to achieve at the moment.
My problem is that I am trying to make a new Splunk instance from scratch, and have it receive the same information that the current one is by manually modifying the configuration, settings, etc.
At the moment, the new instance is receiving some data, but not all of it.

From my understanding, the data is being sent from a separate rsyslog server, and it has been configured correctly to forward syslog files and other data to both the current and new splunk instances I have (I am pretty sure that the error is not on rsyslog's end).
So to rephrase, my real question is what exactly do I need to manually configure so that splunk receives and displays all of the data?

Please forgive me for my lack of knowledge; I am new to Splunk and my understanding of how to set it up isn't fantastic.

I'm happy to provide screenshots to provide more information if you'd like. Cheers.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...