Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Migrating from SumoLogic: How to import log data?

Skeer-Jamf
Path Finder
‎07-28-2022 12:10 PM

So here at work we have been using Sumo for a couple years now but are moving to Splunk.  I have been looking for ways of moving the log/event data. Now I know I can export a search from Sumo into a CSV then import it.  However Im unable to see all the indexes to import the data to on the Splunk side. There's also the issue of the host change. Maybe Splunk is just unable to maintain the original host: values from the imported data, but if that's true I'd need to validate it for the boss.

 

So anyway, Im asking here for advice on the proper/accepted/best way to accomplish moving historical data from Sumo into Splunk.  And what the stipulations are on which indexes show up as destinations.  And lastly.. why can't splunk respect the host values of the imported records?

 

Thanks!!

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-29-2022 05:20 AM

What do you mean by "Im unable to see all the indexes"?  Is it just a matter of your role not having access to the indexes?  If so, then all you can do is ask your Splunk admin for access or have him/her do the import.

Splunk should be able to maintain the original host.  Is the host name in the CSV file?  If so, then props and transforms can be used to preserve the host name.

In both cases, it may help if you gave us some more information about how you are doing the import.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Skeer-Jamf
Path Finder
‎07-29-2022 06:04 AM

Ok so I login to Splunk, click on the + sign and choose to upload a local file.  Next is setting the source type.. by default the source type is 'csv'. I see individual entries.. they look correct in the right hand section so I'm assuming I'd leave that as 'csv'.  So next is setting the Input Settings/host field value. It's here where the default value is a weird string+domain.splunkcloud.com.  So that's a confusing part, but below that is the Index where to import this data to.  It's here that the drop down is only a SUPER small subset of the available indexes that I have access to/own.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-31-2022 02:08 PM

The "weird string" is the host name for your search head.  You can let that default because you'll need to override it, anyway.

You'll need to create an app with a transforms.conf file that sets the host name to a value in the data.  See https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Overridedefaulthostassignments for a good description of that.  Use a heavy forwarder as described in the doc or build an app and upload it Splunk.com.  Either way, I recommend putting the .conf files in an app directory rather than in etc/system/local.

When you've done this, you'll have a custom sourcetype and should use that name rather than the built-in csv sourcetype.

I don't know why you're not seeing all of the index names.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...