topic Re: How to archive specific logs in Getting Data In

How to archive specific logs

aywong — Thu, 25 Oct 2012 15:06:42 GMT

If I find something worth keeping I would like to be able to archive the specific event logs that I want and save them somewhere outside of splunk.

coldToFrozenDir, determines the behavior when cold rolls to frozen and archives the frozen buckets in the specified directory, but I only want to archive specific logs, at random.

for example if I do a search and find a log that I would like to just keep, how do I just keep that one.

Re: How to archive specific logs

Ayn — Thu, 25 Oct 2012 15:12:53 GMT

You could use the collect command to grab the search results for some search with interesting results and write those results to a separate index that has a much longer retention time than your main index.

Re: How to archive specific logs

sowings — Thu, 25 Oct 2012 15:14:07 GMT

The easiest way to do what you're asking is to export the results using the "export" button in the search view, print it, or "save search and results".

coldToFrozenDir works at the bucket (subdivision of an index) level, and it's unlikely that you could archive a particular piece of log segment in a single bucket (not without a lot of other things in that bucket, too).

You could also consider saving just the "_raw" field of the events found by your search. This would work for the export functionality, too. When you're satisfied with the search expression to get the results you want, add | table _raw at the end, then export the results when the search finishes.

Re: How to archive specific logs

peter_krammer — Tue, 25 Nov 2014 16:21:05 GMT

The problem with this method is that the fields source, sourcetype and host are overridden.
It would be better if there was an option to archive data or mark data as don't delete until you do not need them anymore.
We have to sometimes keep specific Data for further analysis and do not know how long we need to keep them.