We had an index that had incorrect timestamp mapping. To correct this we exported all the log entries for the index into a txt file. We then attempted to load the file into Splunk and received the error: Your Entry was not saved. The following error was reported: server abort
I checked SplunkD logs but did not see any indication of the error or how to correct it. I have tried to manually load the file and have the splunk instance monitor the directory location that the data file is in, but neither have worked. The data file is 1.7 GB I am not sure if the filesize maybe causing the issue. Has anyone had this issue before? How did you resolve it?
I ended up using the oneshot command through the CLI to enter the file all at once this worked great much better than the Splunk GUI which kept giving different kinds of errors. Syntax is
splunk oneshot add [filename/path] -sourcetype [desired sourcetype] -index [desired index] thanks everyone for looking.
I ended up using the oneshot command through the CLI to enter the file all at once this worked great much better than the Splunk GUI which kept giving different kinds of errors. Syntax is
splunk oneshot add [filename/path] -sourcetype [desired sourcetype] -index [desired index] thanks everyone for looking.