Book Image

Splunk Essentials - Second Edition

By : Betsy Page Sigman, Erickson Delgado
Book Image

Splunk Essentials - Second Edition

By: Betsy Page Sigman, Erickson Delgado

Overview of this book

Splunk is a search, analysis, and reporting platform for machine data, which has a high adoption on the market. More and more organizations want to adopt Splunk to use their data to make informed decisions. This book is for anyone who wants to manage data with Splunk. You’ll start with very basics of Splunk— installing Splunk—and then move on to searching machine data with Splunk. You will gather data from different sources, isolate them by indexes, classify them into source types, and tag them with the essential fields. After this, you will learn to create various reports, XML forms, and alerts. You will then continue using the Pivot Model to transform the data models into visualization. You will also explore visualization with D3 in Splunk. Finally you’ll be provided with some real-world best practices in using Splunk.
Table of Contents (15 chapters)
Splunk Essentials Second Edition
Credits
About the Authors
About the Reviewer
www.PacktPub.com
Preface

Temporary indexes and oneshot indexing


When you need to index new data and you are unfamiliar with its format, it is always best practice to use a temporary index. You should begin by creating a temporary index just for this purpose. Once you have this temporary index, you can use a Splunk command to add the file once. This process is called  oneshot indexing. This is crucial when you know you have to transform the data prior to indexing, for instance when using props.conf and transforms.conf. A nice feature of oneshot indexing is that there is no need for any kind of configuration before uploading.

Here is how you perform oneshot indexing using the CLI:

C:\> c:\splunk\bin\splunk add oneshot TestFile.log -index TempIndex - 
     sourcetype TempSourceType

You can also do this from the UI by going to Settings | Data inputs | Files and Directories | Add new. Then browse for the file and click on Index Once.

These methods will only work when Splunk is stopped. It will warn you if it is...