Security

Where do logs go when uploaded via Splunk Web's 'Add Data' -> Upload feature?

kausar
Path Finder

I uploaded a .zip data file through web Add Data -> upload. It worked fine and I see the data when searching in the right index, but can't seem to find the zip anywhere on the host. What location/path do the uploaded files get saved to?

0 Karma

anandpasunoori
New Member

as a normal user, you have added the data? If yes, please let me know, how to enable this adddata option for normal user

0 Karma

woodcock
Esteemed Legend

They get parsed, indexed, compressed, and stored in buckets on the indexers.

0 Karma

splunk_force_as
Path Finder

The files get indexed into splunk. Splunk (by default...this is configurable) saves the transformed data to the $SPLUNK_HOME/var/log/splunk directory. You will find the compressed version of your data under a directory within $SPLUNK_HOME/var/log/splunk . The directory should have the same name as your index unless you made that index the default index. The data within the index directory will contain subdirectories organized by age, these are called buckets. Your data will be contained within these buckets.

ChrisG
Splunk Employee
Splunk Employee

See How the indexer stores indexes in the Managing Indexers and Clusters of Indexers manual for more information.

0 Karma

kausar
Path Finder

Thanks. Does that mean, it deletes/renames the original uploaded file? For example, in web I see, 'tutorialdata.zip:./www3/access.log' in the 'source' field. But there is no such file 'tutorialdata.zip' on the server, looks like this is just saved as metadata info. Note that it is a test/all-in-one box (SH, indexer).

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...