When you need to index new data and you are unfamiliar with its format, it is always best practice to use a temporary index. You should begin by creating a temporary index just for this purpose. Once you have this temporary index, you can use a Splunk command to add the file once. This process is called oneshot indexing. This is crucial when you know you have to transform the data prior to indexing, for instance when using props.conf
and transforms.conf
. A nice feature of oneshot indexing is that there is no need for any kind of configuration before uploading.
Here is how you perform oneshot indexing using the CLI:
C:\> c:\splunk\bin\splunk add oneshot TestFile.log -index TempIndex -
sourcetype TempSourceType
You can also do this from the UI by going to Settings | Data inputs | Files and Directories | Add new. Then browse for the file and click on Index Once.
These methods will only work when Splunk is stopped. It will warn you if it is...