Cant ingest .gz syslog files - was already indexed...

power12 · ‎03-12-2024

I have .gz syslog files but I am unable to fetch all files

For each host(abc) it has 23 .tgz files with extension like syslog.log1.gz until syslog.log.24.gz ...I only see the one with 24 ingested but not others ..for all others in internal logs I see "was already indexed as a non-archive, skipping"

Log path
/ad/logs/abc/syslog/syslog.log.24.gz

Internal logs :

03-12-2024 14:59:59.590 -0700 INFO ArchiveProcessor [1944346 archivereader] - Archive with path="/ad/logs/abc/syslog/syslog.log.2.gz" was already indexed as a non-archive, skipping.

03-12-2024 14:59:59.590 -0700 INFO ArchiveProcessor [1944346 archivereader] - Finished processing file '/ad/logs/abc/syslog/syslog.log.2.gz', removing from stats>

Should I try crcsalt or crclength ?

power12 · ‎03-13-2024

Can we ingest these logs?

Cant ingest .gz syslog files - was already indexed as a non-archive, skipping

inputs.conf

props.conf

transforms.conf

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Are you a member of the Splunk Community?