Solved: manually copying log files... overwrite or add new...

glennh · ‎07-08-2011

Hi folks,

I'm trialling Splunk and while I'm waiting for my support folks to install the Splunk Forwarder on my Tomcat servers I have installed a forwarder on my dev pc monitoring a directory and manually copied my tomcat logs to my local monitored directory.

When I take a new copy of the tomcat logs should I just overwrite the current logs? Will this cause the original logs to be reindexed and sho duplicate events in Splunk?

thanks

Glenn

jbsplunk · ‎07-08-2011

If you are writing data to the same index, you are essentially duplicating data. Splunk guards against this by looking at the first 256 bytes of data. If the crcSalt we come up with matches one we've previously calculated, we'll skip indexing that file. If you want Splunk to reindex files from the forwarder and your just in a trial at the moment, you may want to think about cleaning out the indexed data with the the command 'splunk clean eventdata' from $SPLUNK_HOME/bin/.

View solution in original post

jbsplunk · ‎07-08-2011

If you are writing data to the same index, you are essentially duplicating data. Splunk guards against this by looking at the first 256 bytes of data. If the crcSalt we come up with matches one we've previously calculated, we'll skip indexing that file. If you want Splunk to reindex files from the forwarder and your just in a trial at the moment, you may want to think about cleaning out the indexed data with the the command 'splunk clean eventdata' from $SPLUNK_HOME/bin/.

manually copying log files... overwrite or add new?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases