https://community.splunk.com/t5/Getting-Data-In/I-have-a-question-about-raw-data-and-index-data-in-indexer/m-p/227916#M44418 <P>Seksit-<BR /> I think you should understand how Splunk processes and stores files. That should lead to a better understanding of whats going on and how it relates to your use case.</P> <P>When you 'monitor' a file or directory, irregardless of if the file is manually copied or generated by an app, Splunk will read the files and index them. The indexing process take the 'raw' data and reads it in and performs various operations such as assigning sourcetypes, placing it in a defined index, extracting timestamps and hostnames. Files are written to buckets(files on disk) on the indexers, and associated metadata is created and stored with the buckets. When you search in Splunk, this is what is searched. Typically the indexed data is compressed as white space and unneeded characters are removed.</P> <P>So with that in mind, once you have indexed the monitored files, they can be deleted or rotated out. Of course, you need to consider your retention and legal compliance policies if you can delete the files.</P> <P>On another note, compressed files and Splunk are a sticky point. Splunk's unarchiving tool is single threaded. So when Splunk encounters a tar/zip/gzip/tgz file, it has to extract it before it can read it. If you are dealing with a lot of files at once, this will create a slow down on your system and use more memory. </P> Mon, 18 Jan 2016 05:33:16 GMT esix_splunk 2016-01-18T05:33:16Z https://community.splunk.com/t5/Getting-Data-In/I-have-a-question-about-raw-data-and-index-data-in-indexer/m-p/227911#M44413 <P>Hi friend,</P> <P>I've a server and already install splunk. This server has many log file (tar.gz) that import from another server.</P> <P>I would like to use splunk monitor this log via directory such as /var/log/2016/01, /var/log/2016/02.</P> <P>If splunk monitoring the directory, splunk will store the raw data (double raw data) from log file?</P> <P>Please help me to understand it.</P> <P>Thank you </P> <P>sorry for my english</P> Mon, 18 Jan 2016 03:36:47 GMT https://community.splunk.com/t5/Getting-Data-In/I-have-a-question-about-raw-data-and-index-data-in-indexer/m-p/227911#M44413 seksit 2016-01-18T03:36:47Z https://community.splunk.com/t5/Getting-Data-In/I-have-a-question-about-raw-data-and-index-data-in-indexer/m-p/227912#M44414 <P>Sorry but what you mean by double raw data? Splunk picks up files from the directory and indexes it. It won't pick up the same file twice;Splunk checks first few bytes of file to see if it was already indexed</P> Mon, 18 Jan 2016 04:10:23 GMT https://community.splunk.com/t5/Getting-Data-In/I-have-a-question-about-raw-data-and-index-data-in-indexer/m-p/227912#M44414 renjith_nair 2016-01-18T04:10:23Z https://community.splunk.com/t5/Getting-Data-In/I-have-a-question-about-raw-data-and-index-data-in-indexer/m-p/227913#M44415 <P>Hi renjith.nair Thank you for your advice.</P> <P>That log file import by manual don't use splunk forwarder (copy from external HDD). </P> <P>If splunk monitor directory splunk will store raw data in splunk directory?</P> Mon, 18 Jan 2016 04:23:18 GMT https://community.splunk.com/t5/Getting-Data-In/I-have-a-question-about-raw-data-and-index-data-in-indexer/m-p/227913#M44415 seksit 2016-01-18T04:23:18Z https://community.splunk.com/t5/Getting-Data-In/I-have-a-question-about-raw-data-and-index-data-in-indexer/m-p/227914#M44416 <P>If you have configured Splunk to monitor a directory, Splunk picks up the files irrespective of whether it's copied manually or generated by some apps. Splunk checks the first bytes to check if the file was indexed previously and stores the events. If you want to exclude some files from a directory, that's also possible.</P> Mon, 18 Jan 2016 04:38:57 GMT https://community.splunk.com/t5/Getting-Data-In/I-have-a-question-about-raw-data-and-index-data-in-indexer/m-p/227914#M44416 renjith_nair 2016-01-18T04:38:57Z https://community.splunk.com/t5/Getting-Data-In/I-have-a-question-about-raw-data-and-index-data-in-indexer/m-p/227915#M44417 <P>Hi seksit,</P> <P>In your case, splunk will index the data from the log files ( present in the directory such as /var/log/2016/01, /var/log/2016/02) in the splunk index directory <CODE>$SPLUNK_HOME/var/lib/splunk/</CODE> in compressed format. </P> <P>In simple words, this is a copy of the source data but the size and format of the data is not same. Splunk stores the data in a series of index files.</P> <P>For more read on how splunk indexes, please refer <A href="http://docs.splunk.com/Documentation/Splunk/6.3.1511/Indexer/HowSplunkstoresindexes">http://docs.splunk.com/Documentation/Splunk/6.3.1511/Indexer/HowSplunkstoresindexes</A></P> <P>Hope this solves your queries to some extend.</P> Mon, 18 Jan 2016 04:42:42 GMT https://community.splunk.com/t5/Getting-Data-In/I-have-a-question-about-raw-data-and-index-data-in-indexer/m-p/227915#M44417 Murali2888 2016-01-18T04:42:42Z https://community.splunk.com/t5/Getting-Data-In/I-have-a-question-about-raw-data-and-index-data-in-indexer/m-p/227916#M44418 <P>Seksit-<BR /> I think you should understand how Splunk processes and stores files. That should lead to a better understanding of whats going on and how it relates to your use case.</P> <P>When you 'monitor' a file or directory, irregardless of if the file is manually copied or generated by an app, Splunk will read the files and index them. The indexing process take the 'raw' data and reads it in and performs various operations such as assigning sourcetypes, placing it in a defined index, extracting timestamps and hostnames. Files are written to buckets(files on disk) on the indexers, and associated metadata is created and stored with the buckets. When you search in Splunk, this is what is searched. Typically the indexed data is compressed as white space and unneeded characters are removed.</P> <P>So with that in mind, once you have indexed the monitored files, they can be deleted or rotated out. Of course, you need to consider your retention and legal compliance policies if you can delete the files.</P> <P>On another note, compressed files and Splunk are a sticky point. Splunk's unarchiving tool is single threaded. So when Splunk encounters a tar/zip/gzip/tgz file, it has to extract it before it can read it. If you are dealing with a lot of files at once, this will create a slow down on your system and use more memory. </P> Mon, 18 Jan 2016 05:33:16 GMT https://community.splunk.com/t5/Getting-Data-In/I-have-a-question-about-raw-data-and-index-data-in-indexer/m-p/227916#M44418 esix_splunk 2016-01-18T05:33:16Z https://community.splunk.com/t5/Getting-Data-In/I-have-a-question-about-raw-data-and-index-data-in-indexer/m-p/227917#M44419 <P>That's my understanding and that's what I was trying to convey to seksit's question as well. The question was not asked by me but seksit <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 18 Jan 2016 05:39:48 GMT https://community.splunk.com/t5/Getting-Data-In/I-have-a-question-about-raw-data-and-index-data-in-indexer/m-p/227917#M44419 renjith_nair 2016-01-18T05:39:48Z https://community.splunk.com/t5/Getting-Data-In/I-have-a-question-about-raw-data-and-index-data-in-indexer/m-p/227918#M44420 <P>Updated, misread the first commen!</P> Mon, 18 Jan 2016 05:45:02 GMT https://community.splunk.com/t5/Getting-Data-In/I-have-a-question-about-raw-data-and-index-data-in-indexer/m-p/227918#M44420 esix_splunk 2016-01-18T05:45:02Z