Open NeroCube opened 3 years ago
Search Head splunk_sh01_oo_apps/bin/README
splunk_sh01_oo_apps/default/app.conf
# # Splunk app configuration file # [install] is_configured = 0 [ui] is_visible = 1 label = OO Analysis [launcher] author = description =
splunksh01_oo_apps/local/props.conf
[sw_oo_json] KV_MODE = none
splunksh01_oo_apps/metadata/local.meta
[] access = read : [ guest_oo, owner_oo, owner_oo_itadmin ], write : [ admin, owner_oo, owner_oo_itadmin ] owner = OOXXO
Forwarder splunk_dp01_xx_apps/receive_input_oo/local/
[install] state = enabled
[monitor:///home/xxxx/OO_FILES/ox.json] disabled=false sourcetype=ox_json index=idx_ox crcSalt = <SOURCE>
[ox_json] NO_BINARY_CHECK=true CHARSET=UTF-8 INDEXED_EXTRACTIONS=json TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%Q TRUNCATE = 50000 TIMESTAMP_FIELDS="your_timestamp"
Indexer splunk_mnic01_oo_apps/oo_analysis/local/indexes.conf
[idx_oooo] homePath = volume:hotwarmVol/idx_ooo/db coldPath = volume:coldVol/idx_ooo/db thawedPath = /SplunkArchiveData/thawed/idx_ooo/thaweddb summaryHomePath = volume:rasummaryVol/idx_ooo/rasummary tstatsHomePath = volume:dmasummaryVol/idx_ooo/dmasummary frozenTimePeriodInSecs = 94608000 homePath.maxDataSizeMB = 2048 coldPath.maxDataSizeMB = 6144 maxTotalDataSizeMB = 8192 repFactor = auto
Forwarder must be restart.
NeroCube
commented
3 years ago NeroCube
commented
3 years ago
Search Head splunk_sh01_oo_apps/bin/README
splunk_sh01_oo_apps/default/app.conf
splunksh01_oo_apps/local/props.conf
splunksh01_oo_apps/metadata/local.meta
Forwarder splunk_dp01_xx_apps/receive_input_oo/local/
Indexer splunk_mnic01_oo_apps/oo_analysis/local/indexes.conf