https://community.splunk.com/t5/Getting-Data-In/How-does-Splunk-handle-gzip-d-logs/m-p/698151#M115758 <P>The gzip'd files are index under their own source names.&nbsp; They come in the query because their names match the pattern <FONT face="courier new,courier">source="/var/log/nginx/access.log*"</FONT>.&nbsp; Remove the asterisk and only the one file will appear.</P> Wed, 04 Sep 2024 00:25:31 GMT richgalloway 2024-09-04T00:25:31Z https://community.splunk.com/t5/Getting-Data-In/How-does-Splunk-handle-gzip-d-logs/m-p/698147#M115757 <P>Suppose I have `/var/log/nginx/access.log` and then a dozen files in the same directory named like `access.log-&lt;date&gt;.gz`. When Splunk processes the gzip'd files, is it supposed to index them under the `/var/log/nginx/access.log` source? I ask because I've noticed that these gzip files show up when I query:<BR /><BR />```<BR />source="/var/log/nginx/access.log*" | stats count by source<BR />```</P><P>&nbsp;</P><P>I'd appreciate a link to docs regarding this, I couldn't find any. Thanks!</P> Tue, 03 Sep 2024 22:36:22 GMT https://community.splunk.com/t5/Getting-Data-In/How-does-Splunk-handle-gzip-d-logs/m-p/698147#M115757 jm_tesla 2024-09-03T22:36:22Z https://community.splunk.com/t5/Getting-Data-In/How-does-Splunk-handle-gzip-d-logs/m-p/698151#M115758 <P>The gzip'd files are index under their own source names.&nbsp; They come in the query because their names match the pattern <FONT face="courier new,courier">source="/var/log/nginx/access.log*"</FONT>.&nbsp; Remove the asterisk and only the one file will appear.</P> Wed, 04 Sep 2024 00:25:31 GMT https://community.splunk.com/t5/Getting-Data-In/How-does-Splunk-handle-gzip-d-logs/m-p/698151#M115758 richgalloway 2024-09-04T00:25:31Z https://community.splunk.com/t5/Getting-Data-In/How-does-Splunk-handle-gzip-d-logs/m-p/698153#M115759 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/271759">@jm_tesla</a>&nbsp;</P><P>For easy understanding, lets say there are 2 files&nbsp;</P><P><SPAN>/var/log/nginx/access.log and&nbsp;/var/log/nginx/access1.log&nbsp;</SPAN><SPAN>Inside a gzip file. </SPAN></P><P><SPAN>When you onboard this gzip'd log to Splunk, the Splunk engine will undo the gzip and read both files and assign&nbsp;<BR />source for first file as "/var/log/nginx/access.log"</SPAN></P><P><SPAN>source for the 2nd file as "/var/log/nginx/access1.log"<BR /></SPAN></P><P><SPAN>from the documentation -&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/9.3.0/Data/Monitorfilesanddirectories" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/9.3.0/Data/Monitorfilesanddirectories</A></SPAN></P><P><SPAN><BR />other than gzip, these are supported:</SPAN></P><UL><LI><DIV class="">TAR</DIV></LI><LI><DIV class="">GZ</DIV></LI><LI><DIV class="">BZ2</DIV></LI><LI><DIV class="">TAR.GZ and TGZ</DIV></LI><LI><DIV class="">TBZ and TBZ2</DIV></LI><LI><DIV class="">ZIP</DIV></LI><LI><DIV class="">Z<BR /><BR />Best Regards, Sekar</DIV></LI></UL> Wed, 04 Sep 2024 00:44:09 GMT https://community.splunk.com/t5/Getting-Data-In/How-does-Splunk-handle-gzip-d-logs/m-p/698153#M115759 inventsekar 2024-09-04T00:44:09Z https://community.splunk.com/t5/Getting-Data-In/How-does-Splunk-handle-gzip-d-logs/m-p/698157#M115760 <P>Thanks, and that makes sense. I was hoping (expecting, honestly) that Splunk would realize that the gzip'd log files "were really just `access.log` at a previous time".&nbsp;<BR /><BR />It's good to have clarity!</P> Wed, 04 Sep 2024 01:17:36 GMT https://community.splunk.com/t5/Getting-Data-In/How-does-Splunk-handle-gzip-d-logs/m-p/698157#M115760 jm_tesla 2024-09-04T01:17:36Z https://community.splunk.com/t5/Getting-Data-In/How-does-Splunk-handle-gzip-d-logs/m-p/698158#M115761 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/271759">@jm_tesla</a>&nbsp;</P><P>&gt;&gt;&gt;<SPAN>the gzip'd log files "were really just `access.log` at a previous time".&nbsp;</SPAN></P><P>yes, you are right actually.&nbsp;</P><P>"the previous time" will be file's last modification time.. that will become the<STRONG>&nbsp;"_time"</STRONG></P><P>Each file's name will be assigned to the field <STRONG>"source"<BR /></STRONG>the sourcetype will be just the "filename" (gzip will be removed)</P><P>the source will be filename.gzip\filename1.txt and&nbsp;filename.gzip\filename2.txt (i just verified this, on Splunk 9.3.0)<BR /><BR />if you got your answers, can you pls mark this post as resolved (so that it will move from unanswered to answered and i will get a solution authored as well <span class="lia-unicode-emoji" title=":winking_face:">😉</span> .. thanks)</P><P><BR />Best Regards</P><P>Sekar</P> Wed, 04 Sep 2024 01:49:37 GMT https://community.splunk.com/t5/Getting-Data-In/How-does-Splunk-handle-gzip-d-logs/m-p/698158#M115761 inventsekar 2024-09-04T01:49:37Z https://community.splunk.com/t5/Getting-Data-In/How-does-Splunk-handle-gzip-d-logs/m-p/698330#M115781 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/271759">@jm_tesla</a>&nbsp;</P><P>May i know if you have further questions?.. if no then, could you pls mark this post as resolved (so that it will move from unanswered to answered and i will get a solution authored as well&nbsp;thanks)</P><P><BR />Best Regards</P><P>Sekar</P> Thu, 05 Sep 2024 19:42:41 GMT https://community.splunk.com/t5/Getting-Data-In/How-does-Splunk-handle-gzip-d-logs/m-p/698330#M115781 inventsekar 2024-09-05T19:42:41Z