Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

After uploading a local log file into Splunk, where does the local data reside?

splunkrkhanna
New Member
‎10-21-2016 08:21 PM

Hi Team,

I've recently downloaded Splunk Enterprise 6.4.4 trial version for Windows 7. I've uploaded a local log file using "Add data" option. After following the wizard the file got uploaded successfully and i can the command as per my need. My question is do you upload my local file to any of the Splunk server or it resides on my local windows machine?

0 Karma
Reply

gokadroid
Motivator
‎10-22-2016 09:29 AM

Similar to @lukejadamec answer but with index in context:

Let's say you uploaded a data for which your index was called "mysearchindex" and you created a default sourcetype called "mySourceType" in the default app "Search and reporting". Then the raw data that you uploaded, which SPlunk uses can be found in subdirectories here, assuming default path locations which Splunk uses were given while creating "mySearchIndex" :

SplunkHomeDirectory\var\lib\splunk\mysearchindex\db

In general assuming "C:\Program Files\Splunk" is your SplunkHomeDirectory then for every index, raw data file (which has raw data in a slightly "customized" format) can be found in subdirectories here:

C:\Program Files\Splunk\var\lib\splunk\<yourIndexName>\db\

NOTE: The file that you uploaded from local directory will always stay in that local directory untouched. "Splunk's copy" (if you can call it) is as is stated above.

0 Karma
Reply

lukejadamec
Super Champion
‎10-22-2016 07:54 AM

Once the data is added to Splunk it is referred to as Indexed data. The Splunk indexes are stored in Splunk_Home\var\lib\splunk.
The log file you added remains unchanged on the local system.
If you have more than one Splunk server than you can replicate the indexes between them.
Hope that answers your question.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...