I had to import some old gzipped log files - so I simply did a:
splunk add oneshot /var/log/mylogfile.1.gz
The problem was that the source type was /var/log/mylogfile.1.gz and not /var/log/mylogfile - breaking some of the field extractions I use. I found that I could not use wildcards in the source to capture the field extraction, and I couldn't use sourcetype as there were multiples.
1. I figured out the ranges of the data and deleted it using a search
2. I readded the data using a oneshot with a rename-source
splunk add oneshot /var/log/mylogfile.1.gz -rename-source /var/log/mylogfile
(repeat multiple times for each compressed logfile of the same name)
Problem solved - though this will go against your quota as the data is being re-indexed.
3 comments:
https://www.youtube.com/watch?v=48Zs5dx7Ofg
awesome post presented by you..your writing style is fabulous and keep update with your blogs.
ServiceNow training in Hyderabad
Very nice article,keep sharing it more.
Thank you.
ServiceNow Training
Post a Comment