https://community.splunk.com/t5/Getting-Data-In/Inputs-conf-Monitoring-1-file-1-event/m-p/130825#M26886 <P>Have you looked into the batch command as opposed to monitor?</P> Sun, 06 Jul 2014 02:07:08 GMT Runals 2014-07-06T02:07:08Z https://community.splunk.com/t5/Getting-Data-In/Inputs-conf-Monitoring-1-file-1-event/m-p/130821#M26882 <P>I am monitoring the logs for an application that spits out 3 xml files per day that I want indexed to 1 event per entire file. Everything is setup and working properly when the files are initially indexed because the files are already complete. </P> <P>The problem is when the application is actually building the file.<BR /> 1. The application is creates the file<BR /> 2. Splunk indexes what is created<BR /> 3. the application adds to the file<BR /> 4. splunk indexes the addition to another event<BR /> 5. application adds more to the file<BR /> 6. splunk indexes changes to another event.<BR /> 7. so on and so forth.</P> <P>Since Monitor doesn't use Interval to index new files every however many seconds or via cron job I kinda at a loss. I have tried setting the time_before_close=120 but that still indexes the file at creation and then will index the file modifications of the next 2 min in another event. I am wanting 1 event per file. This isn't a high demand application so indexing the files once a day would be acceptable.</P> <P>Here is my inputs and props which are pretty simple.</P> <P>[monitor://whatever]<BR /> disabled=false<BR /> index=data<BR /> whitelist=.xml<BR /> blacklist=garbage<BR /> sourcetype=info<BR /> time_before_close=120</P> <P>[info]<BR /> break_only_before=GOBBLEDEEGOOP<BR /> max_events=200000<BR /> time_prefix=start-time</P> Mon, 28 Sep 2020 16:59:37 GMT https://community.splunk.com/t5/Getting-Data-In/Inputs-conf-Monitoring-1-file-1-event/m-p/130821#M26882 jeffflynn 2020-09-28T16:59:37Z https://community.splunk.com/t5/Getting-Data-In/Inputs-conf-Monitoring-1-file-1-event/m-p/130822#M26883 <P>First of all, props.conf settings are case sensitive so "break_only_before" needs to be BREAK_ONLY_BEFORE, and so on.</P> Mon, 28 Sep 2020 16:59:39 GMT https://community.splunk.com/t5/Getting-Data-In/Inputs-conf-Monitoring-1-file-1-event/m-p/130822#M26883 Ayn 2020-09-28T16:59:39Z https://community.splunk.com/t5/Getting-Data-In/Inputs-conf-Monitoring-1-file-1-event/m-p/130823#M26884 <P>yea. that just lazy typing on my part. i have everything in caps in my props file</P> Thu, 03 Jul 2014 19:20:30 GMT https://community.splunk.com/t5/Getting-Data-In/Inputs-conf-Monitoring-1-file-1-event/m-p/130823#M26884 jeffflynn 2014-07-03T19:20:30Z https://community.splunk.com/t5/Getting-Data-In/Inputs-conf-Monitoring-1-file-1-event/m-p/130824#M26885 <P>You may write a small script to read the file and setup a scripted data input to read script's output. <BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.1.1/Data/Setupcustominputs">http://docs.splunk.com/Documentation/Splunk/6.1.1/Data/Setupcustominputs</A></P> Thu, 03 Jul 2014 19:20:33 GMT https://community.splunk.com/t5/Getting-Data-In/Inputs-conf-Monitoring-1-file-1-event/m-p/130824#M26885 somesoni2 2014-07-03T19:20:33Z https://community.splunk.com/t5/Getting-Data-In/Inputs-conf-Monitoring-1-file-1-event/m-p/130825#M26886 <P>Have you looked into the batch command as opposed to monitor?</P> Sun, 06 Jul 2014 02:07:08 GMT https://community.splunk.com/t5/Getting-Data-In/Inputs-conf-Monitoring-1-file-1-event/m-p/130825#M26886 Runals 2014-07-06T02:07:08Z https://community.splunk.com/t5/Getting-Data-In/Inputs-conf-Monitoring-1-file-1-event/m-p/130826#M26887 <P>I think my best chance at getting what I need is to run a script every morning that will copy the new files to a subfolder. Then index the files from the subfolder using a batch command instead of monitor. </P> Mon, 07 Jul 2014 15:15:43 GMT https://community.splunk.com/t5/Getting-Data-In/Inputs-conf-Monitoring-1-file-1-event/m-p/130826#M26887 jeffflynn 2014-07-07T15:15:43Z