I have recently written Splunk searches which will search proxy logs for "unique" destination hosts (domains). My initial search filters out domains that we are not interested in receiving in the results. Tscollect is then used to write specific fields from the proxy logs to the namespace websense_exclude_ns.
We are currently using version 6.2.3 of Splunk, and are not using Enterprise Security. I have two questions regarding this:
1. The namespace folder and tsidx files were created in the `/opt/splunk/var/lib/splunk/tsidxstats` folder of the search head. Is there a way for these files to be stored on an indexer (indexer cluster)?
2. Being that we do not have the Enterprise Security application and the SA-Utils app, is there a way to automate the management of the tsidx files?
↧