Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Logs have been FIFO'd but i still need. How do i get them back in?

Jarohnimo
Builder
‎07-26-2018 09:05 AM

Working in Windows I have a directory of sharepoint logs that i have been pulling for years. I've recently started to pull in the upgrade logs but they are years old and what happened is they were pulled in but because the data in the log were a few years old it was immediately fifo'd out (I should of placed those logs in a seperate index,... my mistake).

I'd like to setup a new deployment app that only pulls the logs like: Upgrade-2018-094336-984.log and Upgrade-2018-094336-984-error.log. (I'm guesting some form of regex/ whitelist (can someone help me with the syntax)...

what's the easiest way to do this? does it involve clearing the fishbucket? I'm hoping i can create a new index and deploy the app and it just works? thoughts?

Tags (1)
0 Karma
Reply

hortonew
Builder
‎07-26-2018 10:26 AM

Yes, if you need to re-ingest data on the same host that already ingested them, the fishbucket is keeping track that it already ingested them and won't again. Push your new app that sends those logs to the new location, remove fishbucket entries for that, restart splunk.

0 Karma
Reply
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...