Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Enterprise & UF on the same machine

andresito123
Communicator
‎04-24-2020 06:37 AM

I have inherited a Splunk installation from the previous administrator where there is a heavy forwarder and a UF installed on the same machine.

Since this is a bad practice in terms of performance, I am planning to remove the UF and copy the relevant inputs files to the Splunk Enterprise instance (which acts as a heavy forwarder).

How can I avoid re-indexing the same logs when copying the inputs configuration from the HF to the UF (mainly Windows Events)?

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

codebuilder
Influencer
‎04-24-2020 04:52 PM

There are multiple methods you can use to solve this. Below are a few (all will involve first stopping the UF):

Rename the existing directory, then re-create it, and configure the HF to monitor.

Archive/compress the existing files and blacklist that file extension (.zip, .gz, etc.) on the HF.

If your existing files contain a timestamp in the file name, blacklist anything older than when you made the cut over from UF to HF.

Opposite of the above, whitelist any file with a timestamp newer than when you make the change.

Those are a few ideas, but again there are multiple ways to accomplish this.
This documentation may help as well:

https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Whitelistorblacklistspecificincomingdata

----
An upvote would be appreciated and Accept Solution if it helps!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

andresito123
Communicator
‎04-30-2020 03:27 AM

@codebuilder the majority are windows event logs, any ideas on how to archive them?

0 Karma
Reply
Solved! Jump to solution
Solution

codebuilder
Influencer
‎04-24-2020 04:52 PM

There are multiple methods you can use to solve this. Below are a few (all will involve first stopping the UF):

Rename the existing directory, then re-create it, and configure the HF to monitor.

Archive/compress the existing files and blacklist that file extension (.zip, .gz, etc.) on the HF.

If your existing files contain a timestamp in the file name, blacklist anything older than when you made the cut over from UF to HF.

Opposite of the above, whitelist any file with a timestamp newer than when you make the change.

Those are a few ideas, but again there are multiple ways to accomplish this.
This documentation may help as well:

https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Whitelistorblacklistspecificincomingdata

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply
Solved! Jump to solution

andresito123
Communicator
‎04-27-2020 02:48 AM

ok thanks, those workarounds make sense!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...