Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Indexing and reading .tsidx files/directory-stored logs?

katmbro
Engager
‎12-12-2023 09:05 AM

Hello!

Our Splunk server receives dc logs on a daily basis from another network team. Under Files & Directories in Data Inputs, I have the file path for those logs configured to be continuously monitored since we receive those logs from another organization. I set a custom index for those logs and it's not showing any data in that index.

I've verified that it's not a permissions issue. I decided to manually upload one of those files into Splunk and noticed that they are .tsidx files. After uploading, I wasn't able to read any of the data on the .tsidx file. Is that normal? Am I doing anything incorrect? We need to be able to audit those dc logs.

Thanks in advance!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-12-2023 09:46 AM

Does the custom index exist on all of the indexers?  If not, then you won't find data in it.

If the data is not onboarded properly then finding it may be a challenge.  In particular, the timestamp field must be accurate.  If events are dated in the future (easy to do) then most searches will not find it.

Splunk tsidx files are not meant to be read by humans.  The contents are stored in a proprietary format.  Use Splunk to read the files (not directly, but by running a search).

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

katmbro
Engager
‎12-13-2023 09:33 AM

Thank you for clarifying! I'm new to tsidx files so I didn't know if they were meant to be read. I guess we haven't been collecting the logs from active directory specifically so we're working on that. 🙂

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-12-2023 09:46 AM

Does the custom index exist on all of the indexers?  If not, then you won't find data in it.

If the data is not onboarded properly then finding it may be a challenge.  In particular, the timestamp field must be accurate.  If events are dated in the future (easy to do) then most searches will not find it.

Splunk tsidx files are not meant to be read by humans.  The contents are stored in a proprietary format.  Use Splunk to read the files (not directly, but by running a search).

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...