Security

Where do logs go when uploaded via Splunk Web's 'Add Data' -> Upload feature?

kausar
Path Finder

I uploaded a .zip data file through web Add Data -> upload. It worked fine and I see the data when searching in the right index, but can't seem to find the zip anywhere on the host. What location/path do the uploaded files get saved to?

0 Karma

anandpasunoori
New Member

as a normal user, you have added the data? If yes, please let me know, how to enable this adddata option for normal user

0 Karma

woodcock
Esteemed Legend

They get parsed, indexed, compressed, and stored in buckets on the indexers.

0 Karma

splunk_force_as
Path Finder

The files get indexed into splunk. Splunk (by default...this is configurable) saves the transformed data to the $SPLUNK_HOME/var/log/splunk directory. You will find the compressed version of your data under a directory within $SPLUNK_HOME/var/log/splunk . The directory should have the same name as your index unless you made that index the default index. The data within the index directory will contain subdirectories organized by age, these are called buckets. Your data will be contained within these buckets.

ChrisG
Splunk Employee
Splunk Employee

See How the indexer stores indexes in the Managing Indexers and Clusters of Indexers manual for more information.

0 Karma

kausar
Path Finder

Thanks. Does that mean, it deletes/renames the original uploaded file? For example, in web I see, 'tutorialdata.zip:./www3/access.log' in the 'source' field. But there is no such file 'tutorialdata.zip' on the server, looks like this is just saved as metadata info. Note that it is a test/all-in-one box (SH, indexer).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...