Our environment
2 Indexers which are also our syslog servers, 1 License Server, 1 Search head, 1 Enterprise security app installed server, 1 Deployment server
We have the syslog folder under /opt/splunk and I can see it archives data because i can see its size in TBs how can I find out if splunk is ingesting the already indexed data from syslog folder ? In syslog.conf we have this write logs to /opt/splunk/syslogs/ and in inputs.conf we have [monitor:///opt/splunk/syslogs/cisco/asa/*/*]?
↧