Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

About Upload File

tanjiro_rengo
New Member
3 weeks ago

Hi guys,

I am new here and I want to explore some things in splunk. I have a txt file, I uploaded it and I want to get the logs in this file by combining them according to a certain format. For example, a log that starts with line D and ends with line F. I created a .conf file for this and restarted splunk, but does it also affect the existing logs, do I need to throw these logs again, so how can I delete the existing one and throw it again. What is your view of the whole event?

 

Labels (1)
Labels
0 Karma
Reply

livehybrid
Super Champion
2 weeks ago

Hi @tanjiro_rengo 

It ultimately depends on what configuration file changes you have applied to determine if this is a search-time or index-time change. Index-time changes will not apply retrospectively to existing indexed data. 

Please could you share you configuration changes and let us know how you are sending this file to Splunk?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
3 weeks ago

Hi @tanjiro_rengo ,

are you inputting using manual guided Data Input or an input in conf file?

is you can use manual Data Input you can do this withou any issue.

If you need to use inputs.conf, you must remember to rename the file and use crcSalt=<SOURCE> in inputs.conf otherwise Splunk doesn't read twice a file.

About deleting, you can use the delete command in the search dashboard, but you must before assign to your user the "can_delete" role otherwise, also an admin, cannot delete any log; remember at the end of this action to remove this role for your user (it's safer!).

Obviously, this is a logical deletion, not a physical deletion, for the physical deletion you can only use the splunk clena eventdata -index <your_index> command by CLI, but in this way, you delete all the data in an index. not only the last file.

Ciao.

Giuseppe

0 Karma
Reply

tanjiro_rengo
New Member
3 weeks ago

hi @gcusello 

First of all, thank you for your reply. There's something here I'm curious about. If the .conf file I have added contains the correct content, if I want to upload the same file with a different name, is the result in the review section correct or should I see the search section?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
2 weeks ago

Hi @tanjiro_rengo ,

as I said, it depends on how you upload the file: is you use the manual Data Input by web GUI, you can upload the file many times without ani issue.

If instead you are using a conf input, Splunk doesn't index twice a log, so you sould rename it and use the option crcSal=<SOURCE>.

Ciao.

Giuseppe

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...

From Alert to Resolution: How Splunk Observability Helps SREs Navigate Critical ...

It's 3:17 AM, and your phone buzzes with an urgent alert. Wire transfer processing times have spiked, and ...