Wednesday, March 12, 2014

Splunk: Importing Oneshot Files with a Source Rename

I had to import some old gzipped log files - so I simply did a:

splunk add oneshot /var/log/mylogfile.1.gz

The problem was that the source type was /var/log/mylogfile.1.gz and not /var/log/mylogfile - breaking some of the field extractions I use. I found that I could not use wildcards in the source to capture the field extraction, and I couldn't use sourcetype as there were multiples.

1. I figured out the ranges of the data and deleted it using a search

2. I readded the data using a oneshot with a rename-source

splunk add oneshot /var/log/mylogfile.1.gz -rename-source /var/log/mylogfile

(repeat multiple times for each compressed logfile of the same name)

Problem solved - though this will go against your quota as the data is being re-indexed.


obiee training institutes in hyderabad said...

Very good idea you've shared here, from here I can be a very valuable new experience. all things that are here will I make the source of reference, ,servicenow training in hyderabad ,splunk training in hyderabad ,
, liferay training in hyderabad

training in hyderabad said...

Unknown said...

awesome post presented by you..your writing style is fabulous and keep update with your blogs.
ServiceNow training in Hyderabad