So today in the Splunk Facebook group I was asked a fair enough question. "how do I get data in". It's funny how simple this question can seem to someone starting with Splunk but as you gain experience how loaded this question is.
Rather than try and write a 100 page blog about data management in Splunk, what I'd rather due is
Two talk that have been outstanding for my ability as a Splunk admin are here
Data Curator Here we see gamification and monitoring of the quality of your data. I am shocked not more people do this. Creates an outstanding checklist for doing it right.
Data Settings Here we go into details on managing the props.conf/transforms.conf and getting the data in. He makes it so simple. http://conf.splunk.com/session/2014/conf2014_AndrewDuca_Splunk_Deploying.mp4
But over thew years I've found these talks as well to be great.
Where do I begin? https://conf.splunk.com/files/2017/recordings/data-onboarding-where-do-i-begin.mp4
Indexes as Splunk Admin
https://conf.splunk.com/files/2018/recordings/indexes-a-splunk-admins-fn1658.mp4
Getting Data Ready for Machine Learning https://conf.splunk.com/files/2018/recordings/getting-your-data-ready-fn1418.mp4
Retention and Data Rolling https://conf.splunk.com/files/2017/recordings/splunk-data-life-cycle-determining-when-and-where-to-roll-data.mp4 Data Obfuscation https://conf.splunk.com/files/2017/recordings/data-obfuscation-and-field-protection-in-splunk.mp4 Using Data Stream Processor https://conf.splunk.com/files/2019/recordings/FN2062.mp4 Data Transformation with DSP https://conf.splunk.com/files/2019/recordings/FN2033.mp4 Oh and by the way I got one of those fancy Twitters the kids have been talking about lately. Trying to keep that infosec oriented and my posts here Splunk oriented.