Forward(er) Thinking

By now, most of you in the Splunk community have upgraded or deployed our latest version of 4.2 – and the feedback from customers has been great. One of the many features that has enhanced this version of Splunk is a little-known feature which supports Splunk Forwarders. Called “Indexer Acknowledgement”, this feature has a very powerful set of capabilities that many have been asking to have included.

The main idea behind Indexer Acknowledgement is the protection of “in-flight” data between Splunk Forwarders and the index servers. If enabled, a Splunk indexer will confirm transmissions from a designated Splunk Forwarder. The Forwarder will perform retries as configured until a valid transmission is received and acknowledged. If the Forwarder is part of …

» Continue reading

Colorize your world…or at least your Splunk results.

I uncharacteristically spent more than a few minutes last weekend writing up and testing a response for Splunk>Answers, and after addressing it in last week’s podcast, I thought I should cover it further in a blog post.

The title theme of our SplunkTalk podcast last week was the Big Event, and we broke down a bunch of dialog on event duration, data classification and ultimately eventtypes.  Notorious Splunk customer Matt Uebel’s question on Answers asked about “color coding” events within the results tables in the UI.

While it’s less complicated than assembling IKEA furniture, it’s not completely intuitive. In any case – you need to do three things, and the first is to define eventtypes for the different events …

» Continue reading