https://community.splunk.com/t5/Getting-Data-In/Monitoring-of-files/m-p/669589#M112269 <P>You can check the status of your inputs with</P><PRE>splunk list monitor</PRE><P>and</P><PRE>splunk list inputstatus</PRE> Thu, 23 Nov 2023 19:18:52 GMT PickleRick 2023-11-23T19:18:52Z https://community.splunk.com/t5/Getting-Data-In/Monitoring-of-files/m-p/669445#M112248 <P>Hello, I´m trying to resolve monitoring issue of available .csv files of specific directory. There are several files marked by different date e.g. 2023-11-16_filename.csv or 2023-11-20_filename.csv.<BR />None of them has the same date at the beginning for this reason. I´m able synch with the server most of the files but there are some which I´m not. For example my indexing started on 02.10.23 and all the files matching or later are available as source. But all the files before this date are not e.g. 2023-09-15_filename.csv.<BR />What could cause this performance and is there a way how to push files to available as a source even they marked with the date before 02.10.2023 ? Thanks</P> Wed, 22 Nov 2023 10:28:32 GMT https://community.splunk.com/t5/Getting-Data-In/Monitoring-of-files/m-p/669445#M112248 Stives 2023-11-22T10:28:32Z https://community.splunk.com/t5/Getting-Data-In/Monitoring-of-files/m-p/669449#M112249 <P>Hello&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/223397">@Stives</a>&nbsp;,<BR />How does your Inputstanza looks like?<BR />If no crcSalt is specified in the stanza, Splunk will look into the first (i think 256) Bytes of a file and determines based on that if it already know the File.<BR />If the first Bytes in the CSV files will always be the same you could change your inputstanza and add&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">crcSalt = &lt;SOURCE&gt;</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>docs to monitoring stanza for a deeper look into crcSalt:&nbsp;<BR /><A href="https://docs.splunk.com/Documentation/Splunk/9.1.2/Admin/Inputsconf#MONITOR" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/9.1.2/Admin/Inputsconf#MONITOR</A>:<BR /><BR />But be cautious, this will tell splunk to watch for the full path to determine if this file is already been indexed, so there is a possibility that you index the same file twice. Especially for Directories with rolling logfiles.<BR /><BR />Other possibility could be that the dates are out of the retention time scope. (If the files got indexed once but due to retention time got removed again when its bucket is not hot anymore)</P> Wed, 22 Nov 2023 10:53:35 GMT https://community.splunk.com/t5/Getting-Data-In/Monitoring-of-files/m-p/669449#M112249 TheEggi98 2023-11-22T10:53:35Z https://community.splunk.com/t5/Getting-Data-In/Monitoring-of-files/m-p/669553#M112260 <P>Hello, thanks for reply.&nbsp;</P><PRE>crcSalt = &lt;SOURCE&gt;</PRE><P>I´ve been adding crcSalt into my stanza but still the not all the files have been synced either.&nbsp;</P> Thu, 23 Nov 2023 09:32:21 GMT https://community.splunk.com/t5/Getting-Data-In/Monitoring-of-files/m-p/669553#M112260 Stives 2023-11-23T09:32:21Z https://community.splunk.com/t5/Getting-Data-In/Monitoring-of-files/m-p/669556#M112261 <P>crcSalt is actually very rarely the proper option to set. It's often better to raise the initCrcLength to a higher value in case the file has a pretty constant header.</P> Thu, 23 Nov 2023 10:36:16 GMT https://community.splunk.com/t5/Getting-Data-In/Monitoring-of-files/m-p/669556#M112261 PickleRick 2023-11-23T10:36:16Z https://community.splunk.com/t5/Getting-Data-In/Monitoring-of-files/m-p/669561#M112262 <P>Hello I see. You mean anything like this ?</P><PRE>initCrcLength = &lt;256&gt;</PRE><P>&nbsp;</P> Thu, 23 Nov 2023 11:21:18 GMT https://community.splunk.com/t5/Getting-Data-In/Monitoring-of-files/m-p/669561#M112262 Stives 2023-11-23T11:21:18Z https://community.splunk.com/t5/Getting-Data-In/Monitoring-of-files/m-p/669562#M112263 <P>Close. But without the &lt;&gt; part (the &lt;SOURCE&gt; part must be literally put this way if you use this option). And you'd typically want a higher value if you have a constant header.</P><P>Something like</P><PRE>initCrcLength = 1024</PRE><P>for example.</P> Thu, 23 Nov 2023 11:24:14 GMT https://community.splunk.com/t5/Getting-Data-In/Monitoring-of-files/m-p/669562#M112263 PickleRick 2023-11-23T11:24:14Z https://community.splunk.com/t5/Getting-Data-In/Monitoring-of-files/m-p/669576#M112264 <P>Thanks for reply. I´ve tried with the option:&nbsp;</P><PRE>initCrcLength = 1024</PRE><P>But still not all the files have been synced. There are still more pending.</P> Thu, 23 Nov 2023 14:43:44 GMT https://community.splunk.com/t5/Getting-Data-In/Monitoring-of-files/m-p/669576#M112264 Stives 2023-11-23T14:43:44Z https://community.splunk.com/t5/Getting-Data-In/Monitoring-of-files/m-p/669577#M112265 <P>One more. I was checking and one of the files has more than&nbsp; 124 000 bytes. What value I should define for initCrcLenght ?&nbsp; &nbsp;</P> Thu, 23 Nov 2023 15:11:17 GMT https://community.splunk.com/t5/Getting-Data-In/Monitoring-of-files/m-p/669577#M112265 Stives 2023-11-23T15:11:17Z https://community.splunk.com/t5/Getting-Data-In/Monitoring-of-files/m-p/669589#M112269 <P>You can check the status of your inputs with</P><PRE>splunk list monitor</PRE><P>and</P><PRE>splunk list inputstatus</PRE> Thu, 23 Nov 2023 19:18:52 GMT https://community.splunk.com/t5/Getting-Data-In/Monitoring-of-files/m-p/669589#M112269 PickleRick 2023-11-23T19:18:52Z https://community.splunk.com/t5/Getting-Data-In/Monitoring-of-files/m-p/669613#M112271 <P>Hi</P><P>Are you sure that you haven't set this?</P><PRE>ignoreOlderThan</PRE><P>&nbsp;Can you post your inputs.conf for this source, so we can check if there is something else which can cause this behaviour?</P><P>r. Ismo</P> Fri, 24 Nov 2023 06:40:53 GMT https://community.splunk.com/t5/Getting-Data-In/Monitoring-of-files/m-p/669613#M112271 isoutamo 2023-11-24T06:40:53Z https://community.splunk.com/t5/Getting-Data-In/Monitoring-of-files/m-p/669619#M112273 <P>Hello Ismo,</P><P>inputs.conf definition looks like this:<BR /><BR />[monitor:///home/sicpa_operator/deploy/PROD/machine/monitoring/*production_statistics.csv]<BR />index = sts<BR />disabled = false<BR />sourcetype = STSLOGMPPS<BR />crcSalt = &lt;SOURCE&gt;<BR /><BR />by *production_statistics.csv I make sure all the files have to be synced they only contain different dates at the beginning of each file name. Seems I´m able sync only the files by the deployment date. Means files from date when UF been deployed are synced but the everything before not.<BR />BR<BR /><BR /></P> Fri, 24 Nov 2023 08:22:48 GMT https://community.splunk.com/t5/Getting-Data-In/Monitoring-of-files/m-p/669619#M112273 Stives 2023-11-24T08:22:48Z https://community.splunk.com/t5/Getting-Data-In/Monitoring-of-files/m-p/669636#M112275 <P>Thanks.&nbsp;</P><P>How about outputs of&nbsp;</P><LI-CODE lang="markup">splunk list inputstatus</LI-CODE><P>as&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231884">@PickleRick</a>&nbsp;asked? That command shows what files it has read and how much has managed.</P><P>Also you could try&nbsp;</P><LI-CODE lang="markup">splunk btool inputs list monitor:///home/sicpa_operator/deploy/PROD/machine/monitoring/ --debug</LI-CODE><P>to see if there is somewhere defined some weird defaults for your inputs.&nbsp;</P> Fri, 24 Nov 2023 12:23:16 GMT https://community.splunk.com/t5/Getting-Data-In/Monitoring-of-files/m-p/669636#M112275 isoutamo 2023-11-24T12:23:16Z