How to force Splunk to pull logs that were missed ...

hohojoe23 · ‎01-29-2016

I recently had an issue where Splunk lost connectivity with a log server. After the network connectivity was restored, it proceeded with pulling/indexing the logs from the time the network connectivity was restored and did not go back and pick up from where it had left off.

Previous network issues that caused a loss of connectivity with Splunk did not have this end result and it picked up from where it left off and everything was okay.

Currently Splunk is functioning with any new logs that are coming in. I'm trying to figure out a way to get the missing logs over to Splunk. Whether it be a command that will manually pull logs from a particular date range or if needed manually move the logs from the log server to Splunk.

skoelpin · ‎01-29-2016

How are you verifying that Splunk is missing the logs? It will forward and index the logs retroactively when you start the splunk service up. Just the other day I realized that the Splunk forwarder was off for an entire month when I got my monthly report. I went onto the box and started the service and got ~10 million events which made up my report.

But anyways, if your convinced that it's not pulling data retroactively, you can always upload the file directly into Splunk and bypass the forwarder. Here's an article showing how to do that, it's very straight forward

http://docs.splunk.com/Documentation/SplunkLight/6.3.0/Gettingstarted/Uploadafile

How to force Splunk to pull logs that were missed during a lost network connection?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases