I uploaded a .zip data file through web Add Data -> upload. It worked fine and I see the data when searching in the right index, but can't seem to find the zip anywhere on the host. What location/path do the uploaded files get saved to?
as a normal user, you have added the data? If yes, please let me know, how to enable this adddata option for normal user
They get parsed, indexed, compressed, and stored in buckets on the indexers.
The files get indexed into splunk. Splunk (by default...this is configurable) saves the transformed data to the $SPLUNK_HOME/var/log/splunk directory. You will find the compressed version of your data under a directory within $SPLUNK_HOME/var/log/splunk . The directory should have the same name as your index unless you made that index the default index. The data within the index directory will contain subdirectories organized by age, these are called buckets. Your data will be contained within these buckets.
See How the indexer stores indexes in the Managing Indexers and Clusters of Indexers manual for more information.
Thanks. Does that mean, it deletes/renames the original uploaded file? For example, in web I see, 'tutorialdata.zip:./www3/access.log' in the 'source' field. But there is no such file 'tutorialdata.zip' on the server, looks like this is just saved as metadata info. Note that it is a test/all-in-one box (SH, indexer).