Hello all,
I have a question. Every night, between 00:00 and 01:30 at ngiht, the data is being actualized by scritps I've done for exporting and getting the data in the host. When It does the exports, it also changes some part of the data, for example, Priority firstly appears as "1 - Critical" and the scripts changes to "1", but, my problem is that splunk collects the data early or in some way that I can not figure out, but It idexes as "1 - Critical".
When I check the data in the morning, in the file is correctly changed, but not in the index, so I have priorities "1","3"... and priorites "1-Critcal", "3- Low".... in the same index and I would like to it be indexed just as "1", "2", "3"...
Could someone help me on this? Until now, I'm deleting the indexes and creating them once a week, but it's like 10 indexes and the files are correct, I think I just need that splunk indexes it later, how can I configure it?
Thank you!
↧