Using the Splunk reference URLhttps://docs.splunk.com/Splexicon:Searchpeer

" search peer is a splunk platform instance that responds to search requests from a search head. The term " search peer " is usally synonymous with the indexer role in a distributed search topology. However, other instance types also have access to indexed data, particularly internal diagnostic data, and thus function as search peers when they respond to search requests for that data. "

The CLI command " Splunk add forward-server indexer: < receiving-port > " is used to define the indexer and the listening port on forwards. The command creates this kind of entry " [tcpout-server:// < ip address > : < port > ] " in the outputs.conf file.

https://docs.splunk.com/Documentation/Forwarder/8.2.2/Forwarder/Configureforwardingwithoutputs.conf

https://docs.splunk.com/Documentation/Splunk/8.0.5/Deploy/Datapipeline

" In the input segment, Splunk software consumes data. It acquires the raw data stream from its source, breaks in into 64K blocks, and annotates each block with some metadata keys. "

REGEX = < regular expression >

* Enter a regular expression to operate on your data.

FORMAT = < string >

* NOTE: This option is valid for both index-time and search-time field extraction. Index-time field extraction configuration require the FORMAT settings. The FORMAT settings is optional for search-time field extraction configurations.

* This setting specifies the format of the event, including any field names or values you want to add.

DEST_KEY = < key >

* NOTE: This setting is only valid for index-time field extractions.

* Specifies where SPLUNK software stores the expanded FORMAT results in accordance with the REGEX match.

In Splunk Enterprise, when you configure the server.conf file with strict pool quota=false, it means that license pools are allowed to share the total available license quota rather than being restricted to their individually allocated quotas. However, this does not prevent pools from issuing warnings if they exceed their allocated limits.

Given the environment with a 1000 GB/day license split into three pools:

Pool X: 500 GB/day license, 100 GB used

Pool Y: 350 GB/day license, 400 GB used

Pool Z: 150 GB/day license, 300 GB used

Let ' s analyze the usage:

Pool X is allocated 500 GB/day but has only used 100 GB, well within its limit.

Pool Y is allocated 350 GB/day but has used 400 GB, which exceeds its limit by 50 GB.

Pool Z is allocated 150 GB/day but has used 300 GB, which exceeds its limit by 150 GB.

Even with strict pool quota=false, pools Y and Z have exceeded their individual allocated quotas and will issue warnings. Pool X has not exceeded its quota and thus will not issue any warnings. Therefore, the pools that are issued warnings are Y and Z.

URLhttps://docs.splunk.com/Documentation/Splunk/8.2.2/DistSearch/Configuredistributedsearch

" To activate distributed search, you add search peers, or indexers, to a Splunk Enterprise instance that you desingate as a search head. You do this by specifying each search peer manually. "

https://docs.splunk.com/Documentation/Splunk/8.0.6/Security/ManageSplunkuserroleswithLDAP

because transforms.conf is the right configuration file to state the regex expression.https://docs.splunk.com/Documentation/Splunk/8.1.0/Admin/Transformsconf