topic Re: explanation needed in Getting Data In

explanation needed

elaine0102 — Sat, 17 Nov 2012 15:15:55 GMT

alwaysOpenFile = 1

crcSalt

enableRealtimeSearch = true

Hi, can someone explain the above to me.. Thank you.

Re: explanation needed

sdaniels — Sat, 17 Nov 2012 19:44:13 GMT

Check the docs for full details on alwaysOpenFile and crcSal for inputs.conf. Which file did you get enableRealtimeSearch = true from?

http://docs.splunk.com/Documentation/Splunk/5.0/admin/inputsconf

alwaysOpenFile = [0|1]
 * Opens a file to check whether it has already been indexed.
 * Only useful for files that don't update modtime.
 * Only needed when monitoring files on Windows, mostly for IIS logs.
 * This flag should only be used as a last resort, as it increases load and slows down indexing.
 * Defaults to 0.

crcSalt = <string>
* Use this setting to force Splunk to consume files that have matching CRCs (cyclic redundancy checks). (Splunk only 
  performs CRC checks against the first few lines of a file. This behavior prevents Splunk from indexing the same 
  file twice, even though you may have renamed it -- as, for example, with rolling log files. However, because the 
  CRC is based on only the first few lines of the file, it is possible for legitimately different files to have 
  matching CRCs, particularly if they have identical headers.)
* If set, <string> is added to the CRC.
* If set to the literal string <SOURCE> (including the angle brackets), the full directory path to the source file 
  is added to the CRC. This ensures that each file being monitored has a unique CRC.   When crcSalt is invoked, 
  it is usually set to <SOURCE>.
* Be cautious about using this attribute with rolling log files; it could lead to the log file being re-indexed 
  after it has rolled. 
* Defaults to empty.

Re: explanation needed

elaine0102 — Sun, 18 Nov 2012 02:05:02 GMT

Hi thanks for these information is helpful.

About the enableRealtimeSearch = true, I got it from an application at the inputs.CONF. Cause I need real-time data & I am not getting any for 1 of the apps I created so I thought "enableRealtimeSearch = true" might be the reason.
So there is no such config?

Re: explanation needed

arizviesi — Wed, 29 May 2019 12:44:59 GMT

For anyone coming here years later - Real Time Searches

The gist is this:
It is almost never ideal to allow every user to run realtime searches. There should be very specific use cases, i.e., following someone through a honeynet, looking at realtime high-risk activity , etc. At all other times, and ideally, for all other users, RT Search capability should be limited.

The link below shows how and what to do:

https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Restrictrealtimesearch