Hello!
Our Splunk server receives dc logs on a daily basis from another network team. Under Files & Directories in Data Inputs, I have the file path for those logs configured to be continuously monitored since we receive those logs from another organization. I set a custom index for those logs and it's not showing any data in that index.
I've verified that it's not a permissions issue. I decided to manually upload one of those files into Splunk and noticed that they are .tsidx files. After uploading, I wasn't able to read any of the data on the .tsidx file. Is that normal? Am I doing anything incorrect? We need to be able to audit those dc logs.
Thanks in advance!
Does the custom index exist on all of the indexers? If not, then you won't find data in it.
If the data is not onboarded properly then finding it may be a challenge. In particular, the timestamp field must be accurate. If events are dated in the future (easy to do) then most searches will not find it.
Splunk tsidx files are not meant to be read by humans. The contents are stored in a proprietary format. Use Splunk to read the files (not directly, but by running a search).
Thank you for clarifying! I'm new to tsidx files so I didn't know if they were meant to be read. I guess we haven't been collecting the logs from active directory specifically so we're working on that. 🙂
Does the custom index exist on all of the indexers? If not, then you won't find data in it.
If the data is not onboarded properly then finding it may be a challenge. In particular, the timestamp field must be accurate. If events are dated in the future (easy to do) then most searches will not find it.
Splunk tsidx files are not meant to be read by humans. The contents are stored in a proprietary format. Use Splunk to read the files (not directly, but by running a search).