Security

Where do logs go when uploaded via Splunk Web's 'Add Data' -> Upload feature?

Path Finder

I uploaded a .zip data file through web Add Data -> upload. It worked fine and I see the data when searching in the right index, but can't seem to find the zip anywhere on the host. What location/path do the uploaded files get saved to?

0 Karma

New Member

as a normal user, you have added the data? If yes, please let me know, how to enable this adddata option for normal user

0 Karma

Esteemed Legend

They get parsed, indexed, compressed, and stored in buckets on the indexers.

0 Karma

Path Finder

The files get indexed into splunk. Splunk (by default...this is configurable) saves the transformed data to the $SPLUNK_HOME/var/log/splunk directory. You will find the compressed version of your data under a directory within $SPLUNK_HOME/var/log/splunk . The directory should have the same name as your index unless you made that index the default index. The data within the index directory will contain subdirectories organized by age, these are called buckets. Your data will be contained within these buckets.

Splunk Employee
Splunk Employee

See How the indexer stores indexes in the Managing Indexers and Clusters of Indexers manual for more information.

0 Karma

Path Finder

Thanks. Does that mean, it deletes/renames the original uploaded file? For example, in web I see, 'tutorialdata.zip:./www3/access.log' in the 'source' field. But there is no such file 'tutorialdata.zip' on the server, looks like this is just saved as metadata info. Note that it is a test/all-in-one box (SH, indexer).

0 Karma