How do I use/activate the short term bulk loading ...

yihan · ‎06-01-2019

Hi all, Currently I am using the Splunk Free version. However, i would like to import the splunk bots dataset into the splunk server to . They are 6GB large.

According to splunk free documentation on https://docs.splunk.com/Documentation/Splunk/7.2.6/Admin/MoreaboutSplunkFree,

"Is Splunk Free for you?
Splunk Free is designed for personal, ad hoc search and visualization of IT data. You can use Splunk Free for ongoing indexing of small volumes (<500 MB/day) of data. Additionally, you can use it for short-term bulk-loading and analysis of larger data sets--Splunk Free lets you bulk-load much larger data sets up to 3 times within a 30 day period. This can be useful for forensic review of large data sets."

How do I use/activate the short term bulk loading? I tried to import the dataset via installing a app, but received the error message of maximum size is 500mb.

soskaykakehi · ‎06-02-2019

Hi @yihan

How did you input the log file? If you are uploading with Splunk WebUI, it is failing due to HTTP file transfer size limitation. It is not a license limitation.

When importing logs larger than 500MB, split the file so that one file is less than 500MB. Then try uploading from WebUI.

soskaykakehi · ‎06-02-2019

Other option is using input monitor or oneshot command.

DavidHourani · ‎06-02-2019

Hi @yihan, what do you mean tried importing the dataset via installing an app ? Did you setup a monitor on the required files via inputs.conf or GUI ?

yihan · ‎06-02-2019

The dataset given from splunk for Bots SOC is given as an app to import: https://github.com/splunk/botsv1

How do I use/activate the short term bulk loading using the Splunk free version?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!