Databases Reference
In-Depth Information
If you enable
crcSalt
in an input where it was not already enabled, you will
re-index all the data! You need to ensure that the old logs are moved aside or
compressed and blacklisted before enabling this setting in an existing configuration.
Destructively indexing files
If you receive logfiles in
batch
, you can use the
batch
input to consume logs
and then
delete
them. This should only be used against a copy of the logs.
See the following example:
[batch:///var/batch/logs/*/access.log*]
sourcetype=access
host_segment=4
move_policy = sinkhole
This stanza would index the files in the given directory and then delete the files.
Be very sure this is what you want to do!
Network inputs
In addition to reading files, Splunk can listen to network ports. The stanzas take
the following form:
[protocol://<remote host>:<local port>]
The remote host portion is rarely used, but the idea is that you can specify different
input configurations for specific hosts. The usual stanzas look like this:
•
[tcp://1234]
: Specify that we will listen to port
1234
for TCP connections.
Anything can connect to this port and send data in.
•
[tcp-ssl://importanthost:1234]
: Listen on TCP using SSL, and apply
this stanza to the host
importanthost
. Splunk will generate self-signed
certificates the first time it is launched.
•
[udp://514]
: This is generally used for receiving
syslog
events. While this
does work, it is generally considered best practice to use a dedicated syslog
receiver, such as rsyslog or syslogng. See
Chapter 11
,
Advanced Deployments
,
for a discussion on this subject.
•
[splunktcp://9997]
or
[splunktcp-ssl://9997]
: In a distributed
environment, your indexers will receive events on the specified port. It is
a custom protocol used between Splunk instances. This stanza is created
for you when you use the
Manager
page at
Manager
|
Forwarding and
receiving
|
Receive data
.
Search WWH ::
Custom Search