Wednesday, March 12, 2014

Splunk: Importing Oneshot Files with a Source Rename

I had to import some old gzipped log files - so I simply did a:

splunk add oneshot /var/log/mylogfile.1.gz

The problem was that the source type was /var/log/mylogfile.1.gz and not /var/log/mylogfile - breaking some of the field extractions I use. I found that I could not use wildcards in the source to capture the field extraction, and I couldn't use sourcetype as there were multiples.

1. I figured out the ranges of the data and deleted it using a search

2. I readded the data using a oneshot with a rename-source

splunk add oneshot /var/log/mylogfile.1.gz -rename-source /var/log/mylogfile

(repeat multiple times for each compressed logfile of the same name)

Problem solved - though this will go against your quota as the data is being re-indexed.

3 comments:

training in hyderabad said...

https://www.youtube.com/watch?v=48Zs5dx7Ofg

Unknown said...

awesome post presented by you..your writing style is fabulous and keep update with your blogs.
ServiceNow training in Hyderabad

Veera Blogspot said...

Very nice article,keep sharing it more.
Thank you.

ServiceNow Training