Monitoring Splunk

saving log rotated files in splunk


Thanks david for the link. but i wanted to know if someday later if i want to view the log rotated file thn how can i view it. is there any mechanism that this log rotated data can be stored anywhere in splunk for future view or splunk maitains some history anywhere.

Tags (1)
0 Karma

Splunk Employee
Splunk Employee


I'm not entirely clear on what your use case is. What problem are you looking to solve, by looking at a particular rotated file?

Splunk does not rotate files itself, and it doesn't really concern itself with when or if a file is rotated (except in making sure it doesn't re-index a file). Suppose you had a rotation schedule set to turn over every day, Splunk would just monitor the current file, and when it's rotated start reading the new file. If you wanted to look at data that was produced yesterday (e.g., data in the file that was later rotated), you can just run a search for "earliest=-1d@d latest=@d". (See: Changing Time Range).

Let me know if that's not clear, or doesn't solve your particular problem.

0 Karma

New Member

Where do you set the rotation schedule?

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...