https://community.splunk.com/t5/Getting-Data-In/Issue-with-monitoring-one-specific-log-file/m-p/397792#M70928 <P>Hi,</P> <P>I am monitoring multiple files/directory under different sourcetype. For one specific log file I am getting wiered behavior. <BR /> It's not being monitored Continuously, even though file is getting updated regularly.</P> <P>I am not getting any relevant error at both Splunk and forwarder side.</P> <P>Whenever I install new forwarder and configure this file to read, file is being picked only once and stop updating . (It's like reading a batch file)</P> <P>inputs.conf</P> <PRE><CODE>[monitor:///net/hp707srv/hp707srv2/apps/QCST_RSAT_v3.1.42_MASTER/qcstTools/qcst_out_alerts.log] disabled = false host = MTE_TEST index = mlc_live sourcetype = MTE_ALERT crcSalt = &lt;Source&gt; </CODE></PRE> Wed, 03 Apr 2019 12:50:28 GMT AKG1_old1 2019-04-03T12:50:28Z https://community.splunk.com/t5/Getting-Data-In/Issue-with-monitoring-one-specific-log-file/m-p/397792#M70928 <P>Hi,</P> <P>I am monitoring multiple files/directory under different sourcetype. For one specific log file I am getting wiered behavior. <BR /> It's not being monitored Continuously, even though file is getting updated regularly.</P> <P>I am not getting any relevant error at both Splunk and forwarder side.</P> <P>Whenever I install new forwarder and configure this file to read, file is being picked only once and stop updating . (It's like reading a batch file)</P> <P>inputs.conf</P> <PRE><CODE>[monitor:///net/hp707srv/hp707srv2/apps/QCST_RSAT_v3.1.42_MASTER/qcstTools/qcst_out_alerts.log] disabled = false host = MTE_TEST index = mlc_live sourcetype = MTE_ALERT crcSalt = &lt;Source&gt; </CODE></PRE> Wed, 03 Apr 2019 12:50:28 GMT https://community.splunk.com/t5/Getting-Data-In/Issue-with-monitoring-one-specific-log-file/m-p/397792#M70928 AKG1_old1 2019-04-03T12:50:28Z https://community.splunk.com/t5/Getting-Data-In/Issue-with-monitoring-one-specific-log-file/m-p/397793#M70929 <P>Have you considered <STRONG>crcSalt</STRONG> as described in <A href="https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf">https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf</A> ?</P> Wed, 03 Apr 2019 13:43:59 GMT https://community.splunk.com/t5/Getting-Data-In/Issue-with-monitoring-one-specific-log-file/m-p/397793#M70929 Laszlo_K 2019-04-03T13:43:59Z https://community.splunk.com/t5/Getting-Data-In/Issue-with-monitoring-one-specific-log-file/m-p/397794#M70930 <P>When you define monitor stanza (the others in your inputs.conf in the UF/HF), are you ensuring that no other stanza is resolving to the above path <CODE>///net/hp707srv/hp707srv2/apps/QCST_RSAT_v3.1.42_MASTER/qcstTools/</CODE> ? </P> <P>Also, how often does this file get updated and rotated? did you try crcSalt /crc checksum length?</P> Wed, 03 Apr 2019 15:35:40 GMT https://community.splunk.com/t5/Getting-Data-In/Issue-with-monitoring-one-specific-log-file/m-p/397794#M70930 lakshman239 2019-04-03T15:35:40Z https://community.splunk.com/t5/Getting-Data-In/Issue-with-monitoring-one-specific-log-file/m-p/397795#M70931 <P>I have tried installing fresh forwarder for monitoring only this file. After starting the forwarder full file injested in Splunk but later on it's not getting updated.</P> <P>I have used crcSalt = as well but didn't work. </P> <P>Around 30-50 lines are updated in one hour.</P> Wed, 03 Apr 2019 15:46:05 GMT https://community.splunk.com/t5/Getting-Data-In/Issue-with-monitoring-one-specific-log-file/m-p/397795#M70931 AKG1_old1 2019-04-03T15:46:05Z https://community.splunk.com/t5/Getting-Data-In/Issue-with-monitoring-one-specific-log-file/m-p/397796#M70932 <P>yesI have tried with</P> <PRE><CODE> crcSalt = &lt;Source&gt; </CODE></PRE> Wed, 03 Apr 2019 16:08:42 GMT https://community.splunk.com/t5/Getting-Data-In/Issue-with-monitoring-one-specific-log-file/m-p/397796#M70932 AKG1_old1 2019-04-03T16:08:42Z https://community.splunk.com/t5/Getting-Data-In/Issue-with-monitoring-one-specific-log-file/m-p/397797#M70933 <P>Assuming, you get new events every 1hr, are you seeing any warning/errors in splunkd.log from the time your file is first indexed to say till next 1 or 2 hrs? [ e.g file crc checksum error, file ignored, parsing error]. Also, using the metrics.log, can you check if you are constantly receiving other _internal logs from the host, so we can isolate the issue to only this specific file. I assume this is a normal text file.</P> Thu, 04 Apr 2019 04:05:17 GMT https://community.splunk.com/t5/Getting-Data-In/Issue-with-monitoring-one-specific-log-file/m-p/397797#M70933 lakshman239 2019-04-04T04:05:17Z https://community.splunk.com/t5/Getting-Data-In/Issue-with-monitoring-one-specific-log-file/m-p/397798#M70934 <P>Issue is resolved by updating TIME_FORMAT In props.conf<BR /> Earlier TIME_FORMAT was not defined. but wiered thing is it was working fine initially for a month with no TIME_FORMAT . My assumption is if its not defined it takes current time bydefault. </P> <P>props.conf<BR /> [MTE_ALERT]<BR /> DATETIME_CONFIG = <BR /> NO_BINARY_CHECK = true<BR /> SHOULD_LINEMERGE = false<BR /> category = Custom<BR /> disabled = false<BR /> pulldown_type = true<BR /> REPORT-MTE_ALERT = REPORT-MTE_ALERT<BR /> TIME_FORMAT = %d/%m/%Y | %H:%M:%S<BR /> TIME_PREFIX = ^</P> Wed, 30 Sep 2020 00:01:38 GMT https://community.splunk.com/t5/Getting-Data-In/Issue-with-monitoring-one-specific-log-file/m-p/397798#M70934 AKG1_old1 2020-09-30T00:01:38Z https://community.splunk.com/t5/Getting-Data-In/Issue-with-monitoring-one-specific-log-file/m-p/397799#M70935 <P>@lakshman239 : Thanks for help. its got resovled.</P> Thu, 04 Apr 2019 08:40:31 GMT https://community.splunk.com/t5/Getting-Data-In/Issue-with-monitoring-one-specific-log-file/m-p/397799#M70935 AKG1_old1 2019-04-04T08:40:31Z