Import Raw Data from Splunk
Follow the steps below to import raw data from Splunk into Sumo Logic.
info
Although you can import data from Splunk, Sumo Logic does not support Splunk functionality or any commands included below.
- Do one of the following:
- Use the Splunk search command to construct queries that return a group of messages that match source configurations in Sumo Logic (e.g., multiline detection, timezone settings). For example, messages that match Unix logs and messages that match Windows logs. Then, export these messages using the
splunk searchcommand (at the command-line) with the-output rawdataoption to individual files (with a simple redirect). Each file in turn can then be configured to be picked up by Sumo Logic. - Use the Splunk
export eventdatacommand. This automatically creates copies of the original raw files for an index. Then you can pick and choose which of these you want to get to Sumo Logic using collector sources and configure each one according to your needs.
- Use the Splunk search command to construct queries that return a group of messages that match source configurations in Sumo Logic (e.g., multiline detection, timezone settings). For example, messages that match Unix logs and messages that match Windows logs. Then, export these messages using the
- Configure your Sumo Logic Sources to pick up the logs from the directories you've just exported.