How tsidxWritingLevel affects storage size and performance

Today we want to have a look at an index parameter and how it is affecting storage size and performance. In indexes.conf.spec you find the parameter tsidxWritingLevel. This parameters will configure how splunk creates index files over your rawdata within a bucket. The parameter was introduced in v7.2 and updated in v7.3 and v8.1. This also sets the minimum splunk version for a bucket index, meaning you will not be able to read buckets created on v8.1 with level 4 on a v8.0 system.

Read full post

Howto recover "| delete"ed events

After a while we want to restart the blog series. Today we want to show how to recover data in splunk which had been deleted using the "| delete" command.

Even if “| delete” is not a very common command, it’s used from time to time to clean up unwanted events. So what happens if you delete data by mistake? How to recover those events when the docs say it’s not possible?

Read full post

published Splunk Technology Add-On for Mikrotik RouterOS

As some of you know we love these small Mikrotik boxes running RouterOS. They are offering a rich feature set and functionality at a very reasonable price. We also love Splunk.. so it makes perfect sense to import RouterOS data into Splunk. To have greater value of your data we’ve created a Splunk Technology Add-On for RouterOS.

Development takes place in the git repo hosted at https://git.batchworks.de/andreas/TA-routeros . You can download it from there or from https://splunkbase.splunk.com/app/3845/.

Data is extracted for the Splunk CIM data models network traffic, name resolution (DNS), DHCP and authentication.

Why using XML Event Logs sucks using Splunk

Yesterday I had a discussion with a colleague if we should switch the indexing of Windows Eventlogs to XML. He mentioned that he was told that it’s faster, needs less data volume and language agnostic.

As I couldn’t imagine that something with the abbreviation “XML” in it could be something like “small” and “fast” I decided to do a test.

Read full post