Getting Data In

How to import old log files to splunk

vinaykata
Path Finder

I have a remote server which has 1 week older rolling logs. I wanted to monitor those logs so I have installed UF and set up inputs.conf. The newly created logs are showing up on Splunk search, but I am not able to search those 1week older files. Below is my inputs.conf. Is there any other way that I can import that logs to the same source type, same index and from the same host. Thank you

Sorry, that's my bad, I would have mentioned I wanted to index the earlier 7 days data, not older than 7days. Let's say today is 20th aug, So, I wanted to index data from 14th -19thAugust logs.

Splunk: 6.6.3

[monitor://D:\xxx*.log]
disabled = false
sourcetype = AAA
ignoreOlderThan = 7d

0 Karma

CarsonZa
Contributor

ok so this is more of a not seeing forwarded data problem.

first observation is you dont have an index defined. Not sure if that was a typo in your post or you dont have one in your stanza. If you dont have one in your input stanza I would check and see if your data is in index=main.

0 Karma

vinaykata
Path Finder

it's going to default index (main) that's why I didn't mention it in the stanza

0 Karma

CarsonZa
Contributor

Where did you put this inputs.conf and did you restart the service after you created it?

0 Karma

vinaykata
Path Finder

I have this input in my SplunkHome/etc/deployment-apps/appname/local/inputs.conf. And yes I have reloaded my deployment server after the config change.

0 Karma

halisc
New Member

Hi,

In your inputs file you used "ignoreOlderThan = 7d" tag which ignores to index data older then 1 week. Since I do not know exact time of your old log files I could not say this is the exactly problem but if your log files are created older than "08/13/2018" they will not be forwarded so you wont be able to see them in your environment.

You should change that value into something ignoreOlderThan=Today-LogFileDate

0 Karma

vinaykata
Path Finder

Sorry, that's my bad, I would have mentioned I wanted to index the earlier 7 days data, not older than 7days. Let's say today is 20th aug, So, I wanted to index data from 14th -19thAugust logs.

0 Karma

CarsonZa
Contributor

im a little confused on what youre wanting to do. Are you wanting to search within those 7 days that you have indexed or wanting to search older than seven days?

0 Karma

vinaykata
Path Finder

I wanted to index those 7days old logs and do a search on those for specific errors. Thanks for ur prompt response

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...