topic Re: How to import old log files to splunk in Getting Data In

How to import old log files to splunk

vinaykata — Mon, 20 Aug 2018 18:04:48 GMT

I have a remote server which has 1 week older rolling logs. I wanted to monitor those logs so I have installed UF and set up inputs.conf. The newly created logs are showing up on Splunk search, but I am not able to search those 1week older files. Below is my inputs.conf. Is there any other way that I can import that logs to the same source type, same index and from the same host. Thank you

Sorry, that's my bad, I would have mentioned I wanted to index the earlier 7 days data, not older than 7days. Let's say today is 20th aug, So, I wanted to index data from 14th -19thAugust logs.

Splunk: 6.6.3

[monitor://D:\xxx*.log]
disabled = false
sourcetype = AAA
ignoreOlderThan = 7d

Re: How to import old log files to splunk

CarsonZa — Mon, 20 Aug 2018 18:37:24 GMT

im a little confused on what youre wanting to do. Are you wanting to search within those 7 days that you have indexed or wanting to search older than seven days?

Re: How to import old log files to splunk

halisc — Mon, 20 Aug 2018 18:41:04 GMT

Hi,

In your inputs file you used "ignoreOlderThan = 7d" tag which ignores to index data older then 1 week. Since I do not know exact time of your old log files I could not say this is the exactly problem but if your log files are created older than "08/13/2018" they will not be forwarded so you wont be able to see them in your environment.

You should change that value into something ignoreOlderThan=Today-LogFileDate

Re: How to import old log files to splunk

vinaykata — Mon, 20 Aug 2018 18:42:09 GMT

I wanted to index those 7days old logs and do a search on those for specific errors. Thanks for ur prompt response

Re: How to import old log files to splunk

vinaykata — Mon, 20 Aug 2018 18:55:42 GMT

Sorry, that's my bad, I would have mentioned I wanted to index the earlier 7 days data, not older than 7days. Let's say today is 20th aug, So, I wanted to index data from 14th -19thAugust logs.

Re: How to import old log files to splunk

CarsonZa — Mon, 20 Aug 2018 19:01:07 GMT

ok so this is more of a not seeing forwarded data problem.

first observation is you dont have an index defined. Not sure if that was a typo in your post or you dont have one in your stanza. If you dont have one in your input stanza I would check and see if your data is in index=main.

Re: How to import old log files to splunk

vinaykata — Mon, 20 Aug 2018 19:08:15 GMT

it's going to default index (main) that's why I didn't mention it in the stanza

Re: How to import old log files to splunk

CarsonZa — Mon, 20 Aug 2018 19:15:49 GMT

Where did you put this inputs.conf and did you restart the service after you created it?

Re: How to import old log files to splunk

vinaykata — Mon, 20 Aug 2018 19:20:23 GMT

I have this input in my SplunkHome/etc/deployment-apps/appname/local/inputs.conf. And yes I have reloaded my deployment server after the config change.