Forums: SplunkAdministration: Basic Questions

I have just installed a copy of Splunk to test it for our company. I have 2 basic questions, appreciate if some one can take some time to answer those:

1. I understand that incoming data is indexed and raw data is compressed when it is into Splunk. Where is the actual raw data available ? Is that stored in a DB, text file or an XML file. Where can I see that file ?

2. I have added a data input and configured UDP port as source. Can different source types forward data to the same source ?

Thanks.

[Revised on Wed, 18 Nov 2009 06:45:07 -0800]

Also, when the indexes are exported is the data associated with those exported as well ?

1. The data is not stored in its raw format. To get it back, you need to use the splunk "export" (or "exporttool") command. It is stored in the index location under var/lib/splunk/<indexname>/db/<folder>/rawdata/, but it doesn't really help to look at these files, even if you knew which one to look at.
2. Yes, you can forward anything you want. Splunk can apply classification rules to each incoming event/line to categorize it. This could happen automatically, but you'll probably get better results configuring it explicitly (e.g., by looking at the embedded host name or something).

PS: yes, data is exported. indexes in Splunk always go with the original raw event data.

For regulatory purposes, we have to maintain a backup of the log data at another location as well. Can the exported data be read with out Splunk ?