We would like to keep a copy of the log files before they get indexed for long term retention which gets downloaded via the API.
inputs.conf
[scwss-poll]
interval = 3600
sourcetype = symantec:websecurityservice:scwss-poll
[batch://$SPLUNK_HOME/var/spool/splunk/...stash_ta_scwss_logs.zip]
sourcetype = symantec:websecurityservice:scwss-poll
move_policy = sinkhole
[batch://$SPLUNK_HOME\var\spool\splunk\...stash_ta_scwss_logs.zip]
sourcetype = symantec:websecurityservice:scwss-poll
move_policy = sinkhole
Maybe something like this?
[scwss-poll]
interval = 3600
sourcetype = symantec:websecurityservice:scwss-poll
[monitor://$SPLUNK_HOME/var/spool/splunk/...stash_ta_scwss_logs.zip]
sourcetype = symantec:websecurityservice:scwss-poll
[monitor://$SPLUNK_HOME\var\spool\splunk\...stash_ta_scwss_logs.zip]
sourcetype = symantec:websecurityservice:scwss-poll
Hello @pjohnson1
yes this will keep zip files in $SPLUNK_HOME/var/spool/splunk, be aware that depending of the log volume the HD space can be fast filled up. It is better to move zip files from the spool directory after indexing somewhere else.
P.S. BTW, if you had issues with WSS this week, like not possible to create WSS input in splunk or logs are coming empty - it is not your fault - it was confirmed by Broadcom support, even if Broadcom status page doesn't mention it: https://wss.status.broadcom.com/
Hello @pjohnson1
yes this will keep zip files in $SPLUNK_HOME/var/spool/splunk, be aware that depending of the log volume the HD space can be fast filled up. It is better to move zip files from the spool directory after indexing somewhere else.
P.S. BTW, if you had issues with WSS this week, like not possible to create WSS input in splunk or logs are coming empty - it is not your fault - it was confirmed by Broadcom support, even if Broadcom status page doesn't mention it: https://wss.status.broadcom.com/