Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Logs have been FIFO'd but i still need. How do i get them back in?

Jarohnimo
Builder
‎07-26-2018 09:05 AM

Working in Windows I have a directory of sharepoint logs that i have been pulling for years. I've recently started to pull in the upgrade logs but they are years old and what happened is they were pulled in but because the data in the log were a few years old it was immediately fifo'd out (I should of placed those logs in a seperate index,... my mistake).

I'd like to setup a new deployment app that only pulls the logs like: Upgrade-2018-094336-984.log and Upgrade-2018-094336-984-error.log. (I'm guesting some form of regex/ whitelist (can someone help me with the syntax)...

what's the easiest way to do this? does it involve clearing the fishbucket? I'm hoping i can create a new index and deploy the app and it just works? thoughts?

Tags (1)
0 Karma
Reply

hortonew
Builder
‎07-26-2018 10:26 AM

Yes, if you need to re-ingest data on the same host that already ingested them, the fishbucket is keeping track that it already ingested them and won't again. Push your new app that sends those logs to the new location, remove fishbucket entries for that, restart splunk.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...