re-importing historical logs (or rather, starting from scratch again)
I was on a trial sumologic account, and ingesting a single source of AWS cloudfront logs. Really simple, just an S3 bucket with gzipped cloudfront logs. On the trial account I had access to go back 30 days. Trial ended, and data after 7 days disappeared. Now I'm a paid up account, and want to sort of 'start from scratch'. I want to re-import the last 90 days logs, and then let it retain 30 days ongoing. Do I need to just delete and re-add the collector? or any tips of how to re-import the data? can I delete the old messages/logs file entries?
-
Hi Rohan, Good to hear you're now fully using Sumo. Here's what I would do in your case, assuming your Collector is up and running: -- No need to delete the existing Collector - you can just delete the existing Source which you had originally created. This will stop ingesting any more "test" logs -- Create a new Source for the existing Collector. Make sure you do not use the Setup Wizard since this does not give you the advanced setting to start collection 90 days back. Instead go to your Manage Collection page (Manage >> Collection) and click on Add Source for your Collector. -- For step #2, you choose a different _sourceCategory for your data (i.e. prod/aws/cloudfront) than you used initially. That way, there's no need to delete the old "test" data and you can let the old data simply fall off when it hits the retention period. This should do the trick. Cheers, Mario
Please sign in to leave a comment.
Comments
1 comment