topic Re: Monitor daily reports in Getting Data In

Monitor daily reports

iceokoli — Tue, 03 Jun 2014 10:52:32 GMT

I need to monitor daily reports with splunk.
However the events in the logs are constantly updated throughout the day as each event lasts a whole a day.
is there anyway to configure splunk to ensure that it does not parse the event into splunk untill the event has finished?

Re: Monitor daily reports

MuS — Tue, 03 Jun 2014 11:33:38 GMT

Hi iceokoli,

no, this is not possible using a monitor stanza in inputs.conf. A Monitor stanza will observe the file or directory constantly for new data.

But ...

you could setup a monitor stanza in inputs.conf to monitor a directory and have some cron driven script that will copy the source file in question into that directory. Splunk will then take only this copied file and index its data.
if you're using an universal forwarder to monitor this file, use a cron job to start and stop Splunk universal forwarder at a curtain time during the day.
you can create some script wrapper that starts the universal forwarder after that event in question is finished ...

You see, there are some options but out of the box this will not work the way you asked.

hope this helps ...

cheers, MuS

Re: Monitor daily reports

iceokoli — Tue, 03 Jun 2014 12:22:29 GMT

thanks alot

Re: Monitor daily reports

MuS — Tue, 03 Jun 2014 12:32:18 GMT

you're welcome. please mark this as answered by ticking the tick - thx 🙂