Splunk can be instrumental when it comes to aggregating and correlating data. However, like any tool there is a learning curve involved. Migrating away from Linux command line tools and learning something new when you're already pressed for time can slow the learning process. I've included a tidbit below that will help you get your data into splunk as quickly as possible.
Use the Sinkhole:
/opt/splunk/var/spool/splunk
Any data you move to this directory will be indexed by splunk and the original log files deleted. No modifying a GUI or adding a listener. Simply getting the data in splunk so that it can be searched quickly. Enjoy!
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.