Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

After uploading a local log file into Splunk, where does the local data reside?

splunkrkhanna
New Member
‎10-21-2016 08:21 PM

Hi Team,

I've recently downloaded Splunk Enterprise 6.4.4 trial version for Windows 7. I've uploaded a local log file using "Add data" option. After following the wizard the file got uploaded successfully and i can the command as per my need. My question is do you upload my local file to any of the Splunk server or it resides on my local windows machine?

0 Karma
Reply

gokadroid
Motivator
‎10-22-2016 09:29 AM

Similar to @lukejadamec answer but with index in context:

Let's say you uploaded a data for which your index was called "mysearchindex" and you created a default sourcetype called "mySourceType" in the default app "Search and reporting". Then the raw data that you uploaded, which SPlunk uses can be found in subdirectories here, assuming default path locations which Splunk uses were given while creating "mySearchIndex" :

SplunkHomeDirectory\var\lib\splunk\mysearchindex\db

In general assuming "C:\Program Files\Splunk" is your SplunkHomeDirectory then for every index, raw data file (which has raw data in a slightly "customized" format) can be found in subdirectories here:

C:\Program Files\Splunk\var\lib\splunk\<yourIndexName>\db\

NOTE: The file that you uploaded from local directory will always stay in that local directory untouched. "Splunk's copy" (if you can call it) is as is stated above.

0 Karma
Reply

lukejadamec
Super Champion
‎10-22-2016 07:54 AM

Once the data is added to Splunk it is referred to as Indexed data. The Splunk indexes are stored in Splunk_Home\var\lib\splunk.
The log file you added remains unchanged on the local system.
If you have more than one Splunk server than you can replicate the indexes between them.
Hope that answers your question.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...