Monitoring Splunk

saving log rotated files in splunk

rupesh212121
Explorer

Thanks david for the link. but i wanted to know if someday later if i want to view the log rotated file thn how can i view it. is there any mechanism that this log rotated data can be stored anywhere in splunk for future view or splunk maitains some history anywhere.

Tags (1)
0 Karma

David
Splunk Employee
Splunk Employee

Hello,

I'm not entirely clear on what your use case is. What problem are you looking to solve, by looking at a particular rotated file?

Splunk does not rotate files itself, and it doesn't really concern itself with when or if a file is rotated (except in making sure it doesn't re-index a file). Suppose you had a rotation schedule set to turn over every day, Splunk would just monitor the current file, and when it's rotated start reading the new file. If you wanted to look at data that was produced yesterday (e.g., data in the file that was later rotated), you can just run a search for "earliest=-1d@d latest=@d". (See: Changing Time Range).

Let me know if that's not clear, or doesn't solve your particular problem.

0 Karma

pranavrao
New Member

Where do you set the rotation schedule?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...