Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Indexing Zipped Files
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Indexing Zipped Files
I have about 500 excel files that I need to index into Splunk.
If I upload each file individually, I pick my sourcetype in the Add Data wizard and all the events show up correctly.
If I zip all the files together into a single file, I select the same sourcetype, but I cannot see a preview of the sample events: http://imgur.com/a/Un4xL
Splunk then gets confused when parsing the time stamp from the zipped file, and events show up with the wrong time.
Here are the sourcetype settings I'm trying to use: http://imgur.com/a/5F4bK
Is there a way to make the events load correctly for the zipped file, instead of uploading all 500 files individually?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What you need is the add oneshot command from the CLI. Write a small script to shoot each file (do not ZIP them all together) and pass in the sourcetype as a parameter so that your timestamping is done correctly as per your configuraitons for that sourcetype:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Data/MonitorfilesanddirectoriesusingtheCLI
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@mhtedford, is the intent of zipping the file only to upload multiple files to Splunk index in single shot, or the CSV files are created as zip through your existing system/application?
If individual file upload is working fine, and there is not hard and fast need to upload a zip file, then you can choose Monitor folder option instead of Upload file. You can put all the files to the folder, and Splunk should pick them up.
PS: Monitor Folder allows you to select folder from UI (instead of individual file).
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@niketnilay
The intent of zipping the file is only to upload multiple files to Splunk index in a single shot.
I'm trying to use the Monitor folder option, but I am having trouble finding my folder: http://imgur.com/a/OfZZA
It's currently located on my desktop, but the folder is empty in the Splunk wizard. Please advise
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the folder name and path? You can also directly set the path using text box in the Splunk UI.
Monitor Folder will should folders and not files since by default it will monitor all the files inside the folder (unless you want to restrict the same through Whitelist and/or Blacklist).
In the screenshot attached you have selected entire c drive. For adding a folder on your desktop you should navigate to Users folder and then to your logged in username folder.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is the error I get when I try to set the path directly: http://imgur.com/a/hAStX
When I navigate to the Users folder and then my username, all the folders are empty. I think the permissions might not allow, and I'm not sure how to fix that.
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
