Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk 6 Can it index old rotated log files?

aliimami
Explorer
‎02-08-2014 04:15 AM

Hi.

I am testing out splunk and splunk storm for our cluster deployment. In our pilot, I have set up a single host quite well and am receiving data on splunk storm for now.

However, we have old log files that go back almost 4 years. Is it possible to add those files to splunk, by using the same sourcetypes as the ones I have designated for the live data? We have a lot of custom applications logging to /var/log and we have given them all custom types.

Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-08-2014 04:57 AM

Sure.

Point a Splunk forwarder at the old files like you do with new files, and it'll eat them all up. Two things to keep in mind: Try to do it all in one day, so you only cause one license violation... and, if you have data older than five years, you need to set your sourcetypes to allow such old data, by default Splunk drops data older than 2000 days.

As for Splunk Storm, I'm not quite sure if you need to do additional changes or if there are other restrictions. The above approach is based on Splunk Enterprise.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-08-2014 04:57 AM

Sure.

Point a Splunk forwarder at the old files like you do with new files, and it'll eat them all up. Two things to keep in mind: Try to do it all in one day, so you only cause one license violation... and, if you have data older than five years, you need to set your sourcetypes to allow such old data, by default Splunk drops data older than 2000 days.

As for Splunk Storm, I'm not quite sure if you need to do additional changes or if there are other restrictions. The above approach is based on Splunk Enterprise.

Reply
Solved! Jump to solution

aliimami
Explorer
‎02-08-2014 05:52 AM

Yeah. Storm is space based. Thanks for the Licensing tip off.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-08-2014 05:30 AM

Yeah, see http://docs.splunk.com/Documentation/Splunk/6.0.1/Admin/HowSplunklicensingworks for reference.

When bulk-backfilling old data it's best to do it all in one go. That's Splunk Enterprise licensing of course, not sure how Splunk Storm works. Isn't that space-based? Maybe also with restrictions on the retention time?

0 Karma
Reply
Solved! Jump to solution

aliimami
Explorer
‎02-08-2014 05:00 AM

License violation???

And yes, Enterprise helps because I will eventually be deploying splunk enterprise at $WORK. Thanks.

0 Karma
Reply
Solved! Jump to solution

aliimami
Explorer
‎02-08-2014 04:46 AM

To clarify, I can manually upload old files. But can Splunk automatically load old logrotated files?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...