|
Other than the oneshot... how would one toss a file into an index through the CLI? I likely missed it in the documentation, but i couldn't find it. Is there a rest endpoint to do the same? maybe oneshot is the only solution to that? |
|
If you intend to index the file instead of having Splunk monitoring/tailing it, then I think the CLI "oneshot" command is indeed the best solution. You could also create a new monitor input for that file from the CLI, this will index your file but it won't be at all the same than "uploading" it to Splunk as a one-time thing, as Splunk will be keeping track of it. Another possibility is to toss the file in $SPLUNK_HOME/var/spool/splunk which is set up by default as a batch input (see $SPLUNK_HOME/etc/system/default/inputs.conf). Note that the file will be indexed destructively, so you may want to copy it there, not move it. |
|
Hiddenkirby,
Just add an extra line to the top of your file that looks something like this: ***SPLUNK*** sourcetype=YourSourcetype index=YourIndex host=foo1 ... And Splunk will index your file with those parameters. Read more about it in the Splunk docs: http://www.splunk.com/base/Documentation/4.1.5/Admin/Assignmetadatatoeventsdynamically I use the built-in sinkhole when I am doing a quick test of a new log-type to evaluate it before setting up a perm monitor or when doing an investigation and I need to get a bunch of evidence into Splunk from a system that wasn't already monitored by Splunk. |
