https://community.splunk.com/t5/Getting-Data-In/Unable-to-find-the-source-file/m-p/31784#M5586 <P>Is it possible to stop the files (/opt/splunk/var/spool/splunk/singlehost.sample.sav) from getting indexed.</P> Mon, 13 May 2013 20:40:13 GMT dhs_harry08 2013-05-13T20:40:13Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-find-the-source-file/m-p/31782#M5584 <P>hi,</P> <P>I have this source showing in the splunk source=/opt/splunk/var/spool/splunk/singlehost.sample.sav</P> <P>But when I checked the server I am unable to find this particular file. How is this possible.</P> <P>If I want to find the source in this case how can I do it. For example if the data is coming through a network port. </P> <P>Regards,<BR /> Harish</P> Mon, 13 May 2013 20:04:58 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-find-the-source-file/m-p/31782#M5584 dhs_harry08 2013-05-13T20:04:58Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-find-the-source-file/m-p/31783#M5585 <P>The data source just says where Splunk got the data from at the time of indexing. It doesn't say anything about the current status of that source.</P> <P>In your particular case, the source is a file in Splunk's spool directory - files that are put in this directory are immediately deleted after they've been indexed.</P> Mon, 13 May 2013 20:12:20 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-find-the-source-file/m-p/31783#M5585 Ayn 2013-05-13T20:12:20Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-find-the-source-file/m-p/31784#M5586 <P>Is it possible to stop the files (/opt/splunk/var/spool/splunk/singlehost.sample.sav) from getting indexed.</P> Mon, 13 May 2013 20:40:13 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-find-the-source-file/m-p/31784#M5586 dhs_harry08 2013-05-13T20:40:13Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-find-the-source-file/m-p/31785#M5587 <P>Is it possible to stop the files (/opt/splunk/var/spool/splunk/singlehost.sample.sav) from getting indexed</P> Mon, 13 May 2013 20:40:26 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-find-the-source-file/m-p/31785#M5587 dhs_harry08 2013-05-13T20:40:26Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-find-the-source-file/m-p/31786#M5588 <P>Easiest thing would be to make whatever is putting the files there in the first place stop what it's doing.</P> Mon, 13 May 2013 20:53:28 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-find-the-source-file/m-p/31786#M5588 Ayn 2013-05-13T20:53:28Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-find-the-source-file/m-p/31787#M5589 <P>I found the solution at last. These events were generated by an app by splunk SA-Eventgen. We were using PCI compliance app and while installation it seems this app was configured by default. After disabling the app these sample logs disappeared. </P> <P>I found the solution in the Splunk security app FAQs. <BR /> <A href="http://docs.splunk.com/Documentation/ES/2.4/User/FAQ#How_do_I_manually_enable_eventgen.3F">http://docs.splunk.com/Documentation/ES/2.4/User/FAQ#How_do_I_manually_enable_eventgen.3F</A></P> <P>But the same is not included in PCI compliance app documentation. Hope splunk sees this and update the PCI compliance app documentation.</P> <P>Regards,<BR /> Harish</P> Fri, 07 Jun 2013 15:11:33 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-find-the-source-file/m-p/31787#M5589 dhs_harry08 2013-06-07T15:11:33Z