Where do logs go when uploaded via Splunk Web's 'A...

kausar · ‎06-22-2016

I uploaded a .zip data file through web Add Data -> upload. It worked fine and I see the data when searching in the right index, but can't seem to find the zip anywhere on the host. What location/path do the uploaded files get saved to?

anandpasunoori · ‎06-29-2016

as a normal user, you have added the data? If yes, please let me know, how to enable this adddata option for normal user

woodcock · ‎06-22-2016

They get parsed, indexed, compressed, and stored in buckets on the indexers.

splunk_force_as · ‎06-22-2016

The files get indexed into splunk. Splunk (by default...this is configurable) saves the transformed data to the $SPLUNK_HOME/var/log/splunk directory. You will find the compressed version of your data under a directory within $SPLUNK_HOME/var/log/splunk . The directory should have the same name as your index unless you made that index the default index. The data within the index directory will contain subdirectories organized by age, these are called buckets. Your data will be contained within these buckets.

ChrisG · ‎06-22-2016

See How the indexer stores indexes in the Managing Indexers and Clusters of Indexers manual for more information.

kausar · ‎06-22-2016

Thanks. Does that mean, it deletes/renames the original uploaded file? For example, in web I see, 'tutorialdata.zip:./www3/access.log' in the 'source' field. But there is no such file 'tutorialdata.zip' on the server, looks like this is just saved as metadata info. Note that it is a test/all-in-one box (SH, indexer).

Where do logs go when uploaded via Splunk Web's 'Add Data' -> Upload feature?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk