Getting Data In

Where can I find data I added into Splunk?

New Member

Hi,
I followed the Splunk guide http://docs.splunk.com/Documentation/Splunk/6.1.11/SearchTutorial/GetthetutorialdataintoSplunk to add data and to do a research; then I did it again with other data. But I can't find them! They are two zip files; when I go to the home page, in the Manage input menu I don't find them! Where are they?

0 Karma
1 Solution

Super Champion

once you added the data, splunk will "index" that data.
then you need to use splunk commands to search and view the data you uploaded.

so, just follow this page
http://docs.splunk.com/Documentation/Splunk/6.1.11/SearchTutorial/Aboutthesearchapp
and run few search commands like -
sourcetype=secure
or, even simply
buttercupgames

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

Hi, are you really using version 6.1.11? The latest is 6.5.0.

The software does not store the zip files in the way you are imagining. It indexes the data inside the zip files and stores that in a number of files. These files are in directories, organized by age. The directories are called buckets.

See How the indexer stores indexes in the Managing Indexes and Clusters of Indexes manual for complete information.

What is it you are trying to do with the input files? After you have loaded them, they are available for searching, and it sounds as if you were successful with that.

0 Karma

Super Champion

once you added the data, splunk will "index" that data.
then you need to use splunk commands to search and view the data you uploaded.

so, just follow this page
http://docs.splunk.com/Documentation/Splunk/6.1.11/SearchTutorial/Aboutthesearchapp
and run few search commands like -
sourcetype=secure
or, even simply
buttercupgames

View solution in original post

0 Karma

New Member

And if I want to delete them?

0 Karma

New Member

Thank you!

0 Karma

Splunk Employee
Splunk Employee

It's important to know that the delete command does not remove any data from the index or reclaim any disk space. It just makes those events invisible to subsequent searches.

To delete indexed data permanently from disk, you need to use the CLI clean command.

Read Remove indexes and indexed data in the Managing Indexers and Clusters of Indexers manual.

0 Karma

Super Champion

if you want to delete any data from splunk,
then you can search it and then use the "delete" command
(you should have permissions to run this delete command. if you are admin, you will probably have the permission)

index=testindex source=/var/log/messages | delete
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!