Deployment Architecture

Upload and index a file : server abort

madmoravian
New Member

As a brand new user, I'm attempting to add several log files as input to my installation of splunk. These are server log files of about 3GB+. Whenever I attempt to "Upload and index a file" I get a "Your entry was not saved. The following error was reported: server abort." message.

I have managed to upload some access logs, but it generally takes me multiple tries to do so. The access log files are about 85MB in size.

Any thoughts? We are using 4.3

0 Karma
1 Solution

Brian_Osburn
Builder

Try setting Splunk to read the directory, and not the file itself. My guess is it's trying to load the whole thing into memory or something.

Brian

View solution in original post

apjhadoop
New Member

@madmoravian:
"moving the file to the Splunk server allowed it to successfully save and process the log file."

Moving it to which directory path on the Splunk server? Thanks.

0 Karma

amiracle
Splunk Employee
Splunk Employee

If that does not work, try splinting the file into smaller chunks and see if your server can index the files then. On *NIX use the split command:

split -b 1000k largefile.big smallerfiles

You can also split it by lines if you know how many lines make up an event:

split -l 1000 largefile.big smallerfiles

This will then create the 'smallerfiles' with the suffix aa-zz.

0 Karma

Brian_Osburn
Builder

Try setting Splunk to read the directory, and not the file itself. My guess is it's trying to load the whole thing into memory or something.

Brian

himynamesdave
Contributor

+1 to this.

0 Karma

madmoravian
New Member

Yes. moving the file to the Splunk server allowed it to successfully save and process the log file.

0 Karma

Brian_Osburn
Builder

Let me know if this works, and we'll convert this to an answer..

0 Karma

madmoravian
New Member

Not yet, as the file is not on the splunk server. I might move it over there and see what happens. Thanks for the suggestion.

0 Karma

Brian_Osburn
Builder

Have you tried pointing Splunk @ the directory instead of at the file itself?

Brian

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...