I am new to Splunk (6.3) and am interested in knowing a few things in addition to the original question:
A. Assuming I can connect to a locally residing MySQL database (5.7) and extract rows from the database is it more efficient to:
1. Have Splunk operate directly on the results of queries against the database OR
2. Have Splunk operate on the results of the query that are stored as a CSV file on the Splunk Server.
B. How do I estimate (ahead of time) the size of the index that will be created using either method.
↧