https://community.splunk.com/t5/Getting-Data-In/Ingest-entire-XML-file/m-p/530215#M89268 <P>Splunk tries its best to avoid re-indexing entire files that are ingesting via a <FONT face="courier new,courier">monitor</FONT> stanza.&nbsp; I'm not aware of any setting to override that behavior.</P><P>Consider using <FONT face="courier new,courier">batch</FONT> input, instead.&nbsp; Splunk will read the entire file, but will delete it afterward.&nbsp; That means your application must be prepared to re-create the file.&nbsp; It also runs the risk of a race condition between Splunk and your app.&nbsp; Can the application be configured to write a new file instead of overwriting existing files?</P> Fri, 20 Nov 2020 14:30:24 GMT richgalloway 2020-11-20T14:30:24Z https://community.splunk.com/t5/Getting-Data-In/Ingest-entire-XML-file/m-p/529280#M89174 <P>Hello everybody,</P><P>we are monitoring via Universal Forwarder several directories with a large XML file in there (around 1000 lines). These files changes every few seconds, and the change also involves the timestamp which is written in the first 256 bytes of the file.</P><P>I need to ingest these files entirely at every change but, instead, Splunk ingest me these files only one time every some hours or even days. Do you have any suggestion on how can I fix this?</P><P>Here's the props.conf in my heavy forwarders (we have a distributed environment):<BR />[xml_atm]<BR />TRANSFORMS-routing=xmlatm-route<BR />SHOULD_LINEMERGE=true<BR />LINE_BREAKER=(?:restart)([\r\n]+)<BR />CHARSET=ISO-8859-1<BR />CHECK_METHOD = modtime<BR />MAX_EVENTS=4000<BR />TRUNCATE=0<BR />disabled=false<BR />TIME_PREFIX=restart-flag="<BR />REPORT-xmlext=xml-extr<BR /><BR />While inputs.conf in UF is this:<BR /><SPAN>[monitor://D:\ABC\Monitor\Monitor\Inputs\*\*.xml]</SPAN><BR /><SPAN>disabled = 0</SPAN><BR /><SPAN>host_segment = 5</SPAN><BR /><SPAN>index = my_index</SPAN><BR /><SPAN>sourcetype = xml_atm</SPAN></P><P>Thanks in advance.</P> Fri, 13 Nov 2020 14:18:39 GMT https://community.splunk.com/t5/Getting-Data-In/Ingest-entire-XML-file/m-p/529280#M89174 nicofantinato 2020-11-13T14:18:39Z https://community.splunk.com/t5/Getting-Data-In/Ingest-entire-XML-file/m-p/529300#M89176 <P>Please share the relevant inputs.conf stanza from the UFs.</P> Fri, 13 Nov 2020 13:46:48 GMT https://community.splunk.com/t5/Getting-Data-In/Ingest-entire-XML-file/m-p/529300#M89176 richgalloway 2020-11-13T13:46:48Z https://community.splunk.com/t5/Getting-Data-In/Ingest-entire-XML-file/m-p/529301#M89177 <P>Here is the inputs.conf on the UF<BR />[monitor://D:\ABC\Monitor\Monitor\Inputs\*\*.xml]<BR />disabled = 0<BR />host_segment = 5<BR />index = my_index<BR />sourcetype = xml_atm<BR /><BR /></P> Fri, 13 Nov 2020 13:55:12 GMT https://community.splunk.com/t5/Getting-Data-In/Ingest-entire-XML-file/m-p/529301#M89177 nicofantinato 2020-11-13T13:55:12Z https://community.splunk.com/t5/Getting-Data-In/Ingest-entire-XML-file/m-p/530191#M89266 <P>Hi, do you have any suggestion? I'm still unable to ingest entire XML files every time their modification time changes.</P> Fri, 20 Nov 2020 11:32:10 GMT https://community.splunk.com/t5/Getting-Data-In/Ingest-entire-XML-file/m-p/530191#M89266 nicofantinato 2020-11-20T11:32:10Z https://community.splunk.com/t5/Getting-Data-In/Ingest-entire-XML-file/m-p/530215#M89268 <P>Splunk tries its best to avoid re-indexing entire files that are ingesting via a <FONT face="courier new,courier">monitor</FONT> stanza.&nbsp; I'm not aware of any setting to override that behavior.</P><P>Consider using <FONT face="courier new,courier">batch</FONT> input, instead.&nbsp; Splunk will read the entire file, but will delete it afterward.&nbsp; That means your application must be prepared to re-create the file.&nbsp; It also runs the risk of a race condition between Splunk and your app.&nbsp; Can the application be configured to write a new file instead of overwriting existing files?</P> Fri, 20 Nov 2020 14:30:24 GMT https://community.splunk.com/t5/Getting-Data-In/Ingest-entire-XML-file/m-p/530215#M89268 richgalloway 2020-11-20T14:30:24Z https://community.splunk.com/t5/Getting-Data-In/Ingest-entire-XML-file/m-p/532502#M89517 <P>Hi, turned out we also needed to add directive&nbsp;crcSalt = &lt;SOURCE&gt; in inputs.conf on UFs. Adding this all worked as expected.</P><P>inputs.conf became simply:</P><P>[<SPAN>monitor://D:\ABC\Monitor\Monitor\Inputs\*\*.xml</SPAN>]<BR />disabled = 0<BR />host_segment = 5<BR />crcSalt = &lt;SOURCE&gt;<BR />index = <SPAN>my_index</SPAN><BR />sourcetype = <SPAN>xml_atm</SPAN></P> Wed, 09 Dec 2020 16:54:21 GMT https://community.splunk.com/t5/Getting-Data-In/Ingest-entire-XML-file/m-p/532502#M89517 nicofantinato 2020-12-09T16:54:21Z https://community.splunk.com/t5/Getting-Data-In/Ingest-entire-XML-file/m-p/553097#M91720 <P>I have the exact same config as you, the only difference is that I want "source" also, if I define a source value then host names goes back to default servername, in this case host/host_regex/host_segment, nothing works if "source" is defined.</P><P>Do you have any suggestion what I can try? I am also configuring on UF.</P><P>Sample:</P><P><SPAN>[</SPAN><SPAN>monitor://D:\ABC\Monitor\Monitor\Inputs\*\*.xml</SPAN><SPAN>]</SPAN><BR /><SPAN>disabled = 0</SPAN><BR /><SPAN>host_segment = 5</SPAN><BR /><SPAN>crcSalt = &lt;SOURCE&gt;</SPAN><BR /><SPAN>index =&nbsp;</SPAN><SPAN>my_index</SPAN><BR /><SPAN>sourcetype =&nbsp;</SPAN><SPAN>xml_atm</SPAN></P><P><SPAN>source = B_wks</SPAN></P> Wed, 26 May 2021 09:18:13 GMT https://community.splunk.com/t5/Getting-Data-In/Ingest-entire-XML-file/m-p/553097#M91720 ff9231 2021-05-26T09:18:13Z