https://community.splunk.com/t5/Getting-Data-In/How-to-set-time-interval-on-a-universal-forwarder-to-check-a/m-p/233325#M45519 <P>Hi, </P> <P>I have one application at my company which logs only once a day. <BR /> It hereby overwrites the file of the day before. <BR /> How can I tell the universal forwarder to grab a specific file only once a day?<BR /> I want to set an interval, there is no need for an exact point in time.</P> <P>Thank you!</P> <P>Best Regards,<BR /> pyro_wood</P> Thu, 14 Jan 2016 20:59:44 GMT horsefez 2016-01-14T20:59:44Z https://community.splunk.com/t5/Getting-Data-In/How-to-set-time-interval-on-a-universal-forwarder-to-check-a/m-p/233325#M45519 <P>Hi, </P> <P>I have one application at my company which logs only once a day. <BR /> It hereby overwrites the file of the day before. <BR /> How can I tell the universal forwarder to grab a specific file only once a day?<BR /> I want to set an interval, there is no need for an exact point in time.</P> <P>Thank you!</P> <P>Best Regards,<BR /> pyro_wood</P> Thu, 14 Jan 2016 20:59:44 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-set-time-interval-on-a-universal-forwarder-to-check-a/m-p/233325#M45519 horsefez 2016-01-14T20:59:44Z https://community.splunk.com/t5/Getting-Data-In/How-to-set-time-interval-on-a-universal-forwarder-to-check-a/m-p/233326#M45520 <P>Do you see any issue with regular options of monitoring OR batch?</P> Thu, 14 Jan 2016 21:34:18 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-set-time-interval-on-a-universal-forwarder-to-check-a/m-p/233326#M45520 somesoni2 2016-01-14T21:34:18Z https://community.splunk.com/t5/Getting-Data-In/How-to-set-time-interval-on-a-universal-forwarder-to-check-a/m-p/233327#M45521 <P>If you set the universal forwarder to <STRONG>monitor</STRONG> the file, it will check it throughout the day. When the file changes completely, Splunk will index the entire new file at some point after the change.</P> <P>Note that Splunk checks the first 256 bytes of the file to check to see whether the file has been replaced or just appended. So if the first part of the file is always the same, Splunk may not realize that it really is a new file. You can fix this by setting the following in the inputs.conf stanza that is monitoring the file:</P> <PRE><CODE>initCrcLength = 1024 </CODE></PRE> <P>Although you may need to set it to something larger - it needs to be a number of bytes that will force Splunk to look beyond any common header.</P> <P>There are other settings that can force Splunk to always re-index the entire file when it changes (eg., crcSalt). You can find out more about this by reading about <A href="http://docs.splunk.com/Documentation/Splunk/6.3.2/Admin/Inputsconf">inputs.conf in the Admin manual</A>.</P> <P>Although you can set up Splunk "to check at an interval" by using scripts, but that is kludgy compared to just setting a monitor input. As @somesoni2 suggests, this is the best practice. The monitor input is reliable and low overhead.</P> Thu, 14 Jan 2016 22:03:25 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-set-time-interval-on-a-universal-forwarder-to-check-a/m-p/233327#M45521 lguinn2 2016-01-14T22:03:25Z https://community.splunk.com/t5/Getting-Data-In/How-to-set-time-interval-on-a-universal-forwarder-to-check-a/m-p/233328#M45522 <P>Thank you for this helpful reply <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 15 Jan 2016 09:25:09 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-set-time-interval-on-a-universal-forwarder-to-check-a/m-p/233328#M45522 horsefez 2016-01-15T09:25:09Z