Deployment Architecture

Upload and index a file : server abort

madmoravian
New Member

As a brand new user, I'm attempting to add several log files as input to my installation of splunk. These are server log files of about 3GB+. Whenever I attempt to "Upload and index a file" I get a "Your entry was not saved. The following error was reported: server abort." message.

I have managed to upload some access logs, but it generally takes me multiple tries to do so. The access log files are about 85MB in size.

Any thoughts? We are using 4.3

0 Karma
1 Solution

Brian_Osburn
Builder

Try setting Splunk to read the directory, and not the file itself. My guess is it's trying to load the whole thing into memory or something.

Brian

View solution in original post

apjhadoop
New Member

@madmoravian:
"moving the file to the Splunk server allowed it to successfully save and process the log file."

Moving it to which directory path on the Splunk server? Thanks.

0 Karma

amiracle
Splunk Employee
Splunk Employee

If that does not work, try splinting the file into smaller chunks and see if your server can index the files then. On *NIX use the split command:

split -b 1000k largefile.big smallerfiles

You can also split it by lines if you know how many lines make up an event:

split -l 1000 largefile.big smallerfiles

This will then create the 'smallerfiles' with the suffix aa-zz.

0 Karma

Brian_Osburn
Builder

Try setting Splunk to read the directory, and not the file itself. My guess is it's trying to load the whole thing into memory or something.

Brian

himynamesdave
Contributor

+1 to this.

0 Karma

madmoravian
New Member

Yes. moving the file to the Splunk server allowed it to successfully save and process the log file.

0 Karma

Brian_Osburn
Builder

Let me know if this works, and we'll convert this to an answer..

0 Karma

madmoravian
New Member

Not yet, as the file is not on the splunk server. I might move it over there and see what happens. Thanks for the suggestion.

0 Karma

Brian_Osburn
Builder

Have you tried pointing Splunk @ the directory instead of at the file itself?

Brian

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...