Hi,
I have been asked about log parsing and parser error detection in Splunk.
The questions are: In general
- how can and should I detect parsing errors in Splunk? (New version of log source, etc without notification to Splunk admin, etc)
- how should I handle the new log format? There are already data in the index with the old source type. If I modify the sourcetype definitions, it will break the search time field extraction, is it? Clone and modify the source type?
I don't find a guide or best practice in the docs...
Thanks,
István
↧