- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to import old log files to splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to import old log files to splunk
I have a remote server which has 1 week older rolling logs. I wanted to monitor those logs so I have installed UF and set up inputs.conf. The newly created logs are showing up on Splunk search, but I am not able to search those 1week older files. Below is my inputs.conf. Is there any other way that I can import that logs to the same source type, same index and from the same host. Thank you
Sorry, that's my bad, I would have mentioned I wanted to index the earlier 7 days data, not older than 7days. Let's say today is 20th aug, So, I wanted to index data from 14th -19thAugust logs.
Splunk: 6.6.3
[monitor://D:\xxx*.log]
disabled = false
sourcetype = AAA
ignoreOlderThan = 7d
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok so this is more of a not seeing forwarded data problem.
first observation is you dont have an index defined. Not sure if that was a typo in your post or you dont have one in your stanza. If you dont have one in your input stanza I would check and see if your data is in index=main.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it's going to default index (main) that's why I didn't mention it in the stanza
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where did you put this inputs.conf and did you restart the service after you created it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have this input in my SplunkHome/etc/deployment-apps/appname/local/inputs.conf. And yes I have reloaded my deployment server after the config change.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
In your inputs file you used "ignoreOlderThan = 7d" tag which ignores to index data older then 1 week. Since I do not know exact time of your old log files I could not say this is the exactly problem but if your log files are created older than "08/13/2018" they will not be forwarded so you wont be able to see them in your environment.
You should change that value into something ignoreOlderThan=Today-LogFileDate
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, that's my bad, I would have mentioned I wanted to index the earlier 7 days data, not older than 7days. Let's say today is 20th aug, So, I wanted to index data from 14th -19thAugust logs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
im a little confused on what youre wanting to do. Are you wanting to search within those 7 days that you have indexed or wanting to search older than seven days?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I wanted to index those 7days old logs and do a search on those for specific errors. Thanks for ur prompt response
Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!
Logs to Metrics
Developer Spotlight with Paul Stout
