Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Logs have been FIFO'd but i still need. How do i get them back in?

Jarohnimo
Builder
‎07-26-2018 09:05 AM

Working in Windows I have a directory of sharepoint logs that i have been pulling for years. I've recently started to pull in the upgrade logs but they are years old and what happened is they were pulled in but because the data in the log were a few years old it was immediately fifo'd out (I should of placed those logs in a seperate index,... my mistake).

I'd like to setup a new deployment app that only pulls the logs like: Upgrade-2018-094336-984.log and Upgrade-2018-094336-984-error.log. (I'm guesting some form of regex/ whitelist (can someone help me with the syntax)...

what's the easiest way to do this? does it involve clearing the fishbucket? I'm hoping i can create a new index and deploy the app and it just works? thoughts?

Tags (1)
0 Karma
Reply

hortonew
Builder
‎07-26-2018 10:26 AM

Yes, if you need to re-ingest data on the same host that already ingested them, the fishbucket is keeping track that it already ingested them and won't again. Push your new app that sends those logs to the new location, remove fishbucket entries for that, restart splunk.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...