topic Re: Recreate an indexed 'source' file in Getting Data In

Recreate an indexed 'source' file

ironhalo — Fri, 15 Jul 2011 18:30:50 GMT

Is there a way to extract the entire source file from the splunk index?

Re: Recreate an indexed 'source' file

mw — Fri, 15 Jul 2011 18:38:11 GMT

Can you explain more about the use-case? There isn't a single file once it's indexed within Splunk. But, you can conduct an appropriate search and then click on the little down arrow to the left of the timestamp and click "View Source" to see the raw events.

Re: Recreate an indexed 'source' file

ironhalo — Fri, 15 Jul 2011 19:49:12 GMT

The process in question continually generates a lot of log information, once the log file reaches a certain size it's written over. I've tried to 'view source', but it returns an error. I figured the next best solution would be to try and re create the log file entirely. These log files can be tens of thousands of lines.

Re: Recreate an indexed 'source' file

rroberts — Wed, 02 Nov 2011 19:56:33 GMT

Check the splunk export command.

./splunk export eventdata -index main -dir /tmp/events -host www -sourcetype syslog -terms "dhcp OR bind"