Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

About Upload File

tanjiro_rengo
New Member
‎06-29-2025 12:44 AM

Hi guys,

I am new here and I want to explore some things in splunk. I have a txt file, I uploaded it and I want to get the logs in this file by combining them according to a certain format. For example, a log that starts with line D and ends with line F. I created a .conf file for this and restarted splunk, but does it also affect the existing logs, do I need to throw these logs again, so how can I delete the existing one and throw it again. What is your view of the whole event?

 

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎06-30-2025 12:58 AM

Hi @tanjiro_rengo 

It ultimately depends on what configuration file changes you have applied to determine if this is a search-time or index-time change. Index-time changes will not apply retrospectively to existing indexed data. 

Please could you share you configuration changes and let us know how you are sending this file to Splunk?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-29-2025 01:01 AM

Hi @tanjiro_rengo ,

are you inputting using manual guided Data Input or an input in conf file?

is you can use manual Data Input you can do this withou any issue.

If you need to use inputs.conf, you must remember to rename the file and use crcSalt=<SOURCE> in inputs.conf otherwise Splunk doesn't read twice a file.

About deleting, you can use the delete command in the search dashboard, but you must before assign to your user the "can_delete" role otherwise, also an admin, cannot delete any log; remember at the end of this action to remove this role for your user (it's safer!).

Obviously, this is a logical deletion, not a physical deletion, for the physical deletion you can only use the splunk clena eventdata -index <your_index> command by CLI, but in this way, you delete all the data in an index. not only the last file.

Ciao.

Giuseppe

0 Karma
Reply

tanjiro_rengo
New Member
‎06-29-2025 02:03 AM

hi @gcusello 

First of all, thank you for your reply. There's something here I'm curious about. If the .conf file I have added contains the correct content, if I want to upload the same file with a different name, is the result in the review section correct or should I see the search section?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-30-2025 12:34 AM

Hi @tanjiro_rengo ,

as I said, it depends on how you upload the file: is you use the manual Data Input by web GUI, you can upload the file many times without ani issue.

If instead you are using a conf input, Splunk doesn't index twice a log, so you sould rename it and use the option crcSal=<SOURCE>.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...