- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Migrating from SumoLogic: How to import log data?
So here at work we have been using Sumo for a couple years now but are moving to Splunk. I have been looking for ways of moving the log/event data. Now I know I can export a search from Sumo into a CSV then import it. However Im unable to see all the indexes to import the data to on the Splunk side. There's also the issue of the host change. Maybe Splunk is just unable to maintain the original host: values from the imported data, but if that's true I'd need to validate it for the boss.
So anyway, Im asking here for advice on the proper/accepted/best way to accomplish moving historical data from Sumo into Splunk. And what the stipulations are on which indexes show up as destinations. And lastly.. why can't splunk respect the host values of the imported records?
Thanks!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you mean by "Im unable to see all the indexes"? Is it just a matter of your role not having access to the indexes? If so, then all you can do is ask your Splunk admin for access or have him/her do the import.
Splunk should be able to maintain the original host. Is the host name in the CSV file? If so, then props and transforms can be used to preserve the host name.
In both cases, it may help if you gave us some more information about how you are doing the import.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok so I login to Splunk, click on the + sign and choose to upload a local file. Next is setting the source type.. by default the source type is 'csv'. I see individual entries.. they look correct in the right hand section so I'm assuming I'd leave that as 'csv'. So next is setting the Input Settings/host field value. It's here where the default value is a weird string+domain.splunkcloud.com. So that's a confusing part, but below that is the Index where to import this data to. It's here that the drop down is only a SUPER small subset of the available indexes that I have access to/own.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The "weird string" is the host name for your search head. You can let that default because you'll need to override it, anyway.
You'll need to create an app with a transforms.conf file that sets the host name to a value in the data. See https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Overridedefaulthostassignments for a good description of that. Use a heavy forwarder as described in the doc or build an app and upload it Splunk.com. Either way, I recommend putting the .conf files in an app directory rather than in etc/system/local.
When you've done this, you'll have a custom sourcetype and should use that name rather than the built-in csv sourcetype.
I don't know why you're not seeing all of the index names.
If this reply helps you, Karma would be appreciated.
