Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to archive specific logs

aywong
Path Finder
‎10-25-2012 08:06 AM

If I find something worth keeping I would like to be able to archive the specific event logs that I want and save them somewhere outside of splunk.

coldToFrozenDir, determines the behavior when cold rolls to frozen and archives the frozen buckets in the specified directory, but I only want to archive specific logs, at random.

for example if I do a search and find a log that I would like to just keep, how do I just keep that one.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sowings
Splunk Employee
Splunk Employee
‎10-25-2012 08:14 AM

The easiest way to do what you're asking is to export the results using the "export" button in the search view, print it, or "save search and results".

coldToFrozenDir works at the bucket (subdivision of an index) level, and it's unlikely that you could archive a particular piece of log segment in a single bucket (not without a lot of other things in that bucket, too).

You could also consider saving just the "_raw" field of the events found by your search. This would work for the export functionality, too. When you're satisfied with the search expression to get the results you want, add | table _raw at the end, then export the results when the search finishes.

View solution in original post

Reply
Solved! Jump to solution
Solution

sowings
Splunk Employee
Splunk Employee
‎10-25-2012 08:14 AM

The easiest way to do what you're asking is to export the results using the "export" button in the search view, print it, or "save search and results".

coldToFrozenDir works at the bucket (subdivision of an index) level, and it's unlikely that you could archive a particular piece of log segment in a single bucket (not without a lot of other things in that bucket, too).

You could also consider saving just the "_raw" field of the events found by your search. This would work for the export functionality, too. When you're satisfied with the search expression to get the results you want, add | table _raw at the end, then export the results when the search finishes.

Reply
Solved! Jump to solution

Ayn
Legend
‎10-25-2012 08:12 AM

You could use the collect command to grab the search results for some search with interesting results and write those results to a separate index that has a much longer retention time than your main index.

Reply
Solved! Jump to solution

peter_krammer
Communicator
‎11-25-2014 08:21 AM

The problem with this method is that the fields source, sourcetype and host are overridden.
It would be better if there was an option to archive data or mark data as don't delete until you do not need them anymore.
We have to sometimes keep specific Data for further analysis and do not know how long we need to keep them.

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...