sundry/ghetto/notes/SplunkDataAdministration/day3.txt

Module 10:
  Modifying raw data before it's indexed
  use per event source types only in a last chance scenario, everything else is better
  to set metadata in transforms.conf
    SOURCE_KEY = _raw
    REGEX = server:(\w+)
    DEST_KEY = MetaData:Host
    FORMAT = host::$1
  Host => host::,

  To change the index at index-time (note the additional underscore here)
    REGEX = (Error|Warning)
    DEST_KEY = _MetaData:Index
    FORMAT = itops

  Filter Events
    FORMAT = nullQueue

  http://<splunk>/debug/refresh - forces splunk to refresh it's config(?)
    at a minimum it does the inputs configurations, definitely doesn't do the indexer


  I need to go over modules 10 and 11. Missed too much i fear

Module 12: Diag
  Creates diagnostic package for shipment to experts.
  ./splunk diag
  Create and index a diag


Course Review:
  Mod 1 - 
  joanna@splunk.com
Add notes from some splunk virtual classes 2017-03-17 09:43:34 -04:00			`Module 10:`
			`Modifying raw data before it's indexed`
			`use per event source types only in a last chance scenario, everything else is better`
			`to set metadata in transforms.conf`
			`SOURCE_KEY = _raw`
			`REGEX = server:(\w+)`
			`DEST_KEY = MetaData:Host`
			`FORMAT = host::$1`
			`Host => host::,`

			`To change the index at index-time (note the additional underscore here)`
			`REGEX = (Error\|Warning)`
			`DEST_KEY = _MetaData:Index`
			`FORMAT = itops`

			`Filter Events`
			`FORMAT = nullQueue`

			`http://<splunk>/debug/refresh - forces splunk to refresh it's config(?)`
			`at a minimum it does the inputs configurations, definitely doesn't do the indexer`


			`I need to go over modules 10 and 11. Missed too much i fear`

			`Module 12: Diag`
			`Creates diagnostic package for shipment to experts.`
			`./splunk diag`
			`Create and index a diag`


			`Course Review:`
			`Mod 1 -`
			`joanna@splunk.com`