Below is my indexes.conf file: defaultDatabase = main [main] homePath= $SPLUNK_DB\defaultdb\db coldPath = $SPLUNK_DB\defaultdb\colddb thawedPath = $SPLUNK_DB\defaultdb\thawedb maxDataSize = 5 maxHotBuckets = 1 maxWarmDBCount = 1 frozenTimePeriodInSecs = 60 rotatePeriodInSecs = 60 coldToFrozenScript = WindowsCompressedExport.bat "$DIR" I have the fields set to a minimum so I can see if this works. Also here is my WindowsCompressedExport.bat file: set dest_base=C:\Security\splunk\ set source_path=%1 set source_base=%~dp1 set source_leaf=%~nx1 set dest_final=%dest_base%\%source_leaf% #echo commands.... for %%i iin (%1\*.tsidx) do splunk-compresstool.exe -M "%%i" mkdir %dest_final% xcopy %1 %dest_final% /E /I /C /Y Any clue as to what may be the issue?? ... View more

Due to our strict security policies I need to show a security representative that Splunk can not only index windows event logs but also archive them to a directory. I know I can set this up for automation via the coldToFrozenScript field in indexes.conf, but I was wondering if there was a way to add this functionality to the user interface so that I could simply click on a link and go to a backup directory and view the newly archived file. Thanks for your time. Steve ... View more