<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: How to get Splunk to recognise new data added to a CSV File. in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/How-to-get-Splunk-to-recognise-new-data-added-to-a-CSV-File/m-p/550201#M91372</link>
    <description>&lt;P&gt;Hi there thank you for your feedback.&amp;nbsp;&lt;BR /&gt;&lt;BR /&gt;The data was loaded via the GUI.&amp;nbsp;&lt;BR /&gt;&lt;BR /&gt;As a newby to Splunk, I am experimenting with its capability to ingest historic data.&amp;nbsp; We are looking to migrate from OSIOsft PI to an alternative data historian and Splunk is one of the products we are looking at.&amp;nbsp; A key requirement for the new historian is the ability to ingest a large amount of historic data (about 10 years worth).&amp;nbsp; To prove this functionality, I have 3 months worth of data across three CSV files and I need to load this into Splunk.&amp;nbsp; Obviously I am not familiar with the config changes that you mention, could you possibly provide a sample entry to the config file.&lt;/P&gt;&lt;P&gt;Kind Regards&lt;/P&gt;&lt;P&gt;Paul.&lt;/P&gt;</description>
    <pubDate>Mon, 03 May 2021 09:11:54 GMT</pubDate>
    <dc:creator>pjAstroMan</dc:creator>
    <dc:date>2021-05-03T09:11:54Z</dc:date>
    <item>
      <title>How to get Splunk to recognise new data added to a CSV File.</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-get-Splunk-to-recognise-new-data-added-to-a-CSV-File/m-p/550046#M91355</link>
      <description>&lt;P&gt;Hi there, I'm experiminting with a single machine/single instance of Splunk Enterprise, using a set of static data in CSV format.&amp;nbsp; I successfully ingested the initial data from the CSV file, however when I add subsequent records to the CSV file, Splunk seems unaware of the new data.&amp;nbsp; How can I set things up so that Splunk will recognise the data, and update the dashboards I have created for monitoring the data dynamically?&lt;/P&gt;&lt;P&gt;Kind Regards&lt;/P&gt;&lt;P&gt;Paul J.&lt;/P&gt;</description>
      <pubDate>Fri, 30 Apr 2021 17:04:06 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-get-Splunk-to-recognise-new-data-added-to-a-CSV-File/m-p/550046#M91355</guid>
      <dc:creator>pjAstroMan</dc:creator>
      <dc:date>2021-04-30T17:04:06Z</dc:date>
    </item>
    <item>
      <title>Re: How to get Splunk to recognise new data added to a CSV File.</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-get-Splunk-to-recognise-new-data-added-to-a-CSV-File/m-p/550092#M91358</link>
      <description>&lt;P&gt;Hi. How are you adding more data to the csv?&amp;nbsp;&lt;/P&gt;&lt;P&gt;If you added a file using the lookup files -&amp;gt; new and then you are editing the actual file on disk, that likely won't work. I highly recommend using this app:&amp;nbsp;&lt;A href="https://splunkbase.splunk.com/app/1724/" target="_blank"&gt;https://splunkbase.splunk.com/app/1724/&lt;/A&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Fri, 30 Apr 2021 23:57:17 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-get-Splunk-to-recognise-new-data-added-to-a-CSV-File/m-p/550092#M91358</guid>
      <dc:creator>burwell</dc:creator>
      <dc:date>2021-04-30T23:57:17Z</dc:date>
    </item>
    <item>
      <title>Re: How to get Splunk to recognise new data added to a CSV File.</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-get-Splunk-to-recognise-new-data-added-to-a-CSV-File/m-p/550096#M91359</link>
      <description>&lt;P&gt;Paul,&lt;/P&gt;&lt;P&gt;how did you ingest the initial file? Did you upload it to your instance via the UI or did you setup a file monitor?&amp;nbsp;&lt;/P&gt;&lt;P&gt;You need to make sure you have an &lt;A href="https://docs.splunk.com/Documentation/Splunk/8.1.3/Data/Monitorfilesanddirectorieswithinputs.conf" target="_self"&gt;inputs.conf file&lt;/A&gt; configured with a&amp;nbsp;&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[monitor://....]&lt;/LI-CODE&gt;&lt;P&gt;stanza that points to your directory/file. If you do that, and that input is enabled, changes to the file should be picked up and indexed.&lt;/P&gt;&lt;P&gt;HTH&lt;/P&gt;</description>
      <pubDate>Sat, 01 May 2021 01:55:06 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-get-Splunk-to-recognise-new-data-added-to-a-CSV-File/m-p/550096#M91359</guid>
      <dc:creator>s2_splunk</dc:creator>
      <dc:date>2021-05-01T01:55:06Z</dc:date>
    </item>
    <item>
      <title>Re: How to get Splunk to recognise new data added to a CSV File.</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-get-Splunk-to-recognise-new-data-added-to-a-CSV-File/m-p/550201#M91372</link>
      <description>&lt;P&gt;Hi there thank you for your feedback.&amp;nbsp;&lt;BR /&gt;&lt;BR /&gt;The data was loaded via the GUI.&amp;nbsp;&lt;BR /&gt;&lt;BR /&gt;As a newby to Splunk, I am experimenting with its capability to ingest historic data.&amp;nbsp; We are looking to migrate from OSIOsft PI to an alternative data historian and Splunk is one of the products we are looking at.&amp;nbsp; A key requirement for the new historian is the ability to ingest a large amount of historic data (about 10 years worth).&amp;nbsp; To prove this functionality, I have 3 months worth of data across three CSV files and I need to load this into Splunk.&amp;nbsp; Obviously I am not familiar with the config changes that you mention, could you possibly provide a sample entry to the config file.&lt;/P&gt;&lt;P&gt;Kind Regards&lt;/P&gt;&lt;P&gt;Paul.&lt;/P&gt;</description>
      <pubDate>Mon, 03 May 2021 09:11:54 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-get-Splunk-to-recognise-new-data-added-to-a-CSV-File/m-p/550201#M91372</guid>
      <dc:creator>pjAstroMan</dc:creator>
      <dc:date>2021-05-03T09:11:54Z</dc:date>
    </item>
    <item>
      <title>Re: How to get Splunk to recognise new data added to a CSV File.</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-get-Splunk-to-recognise-new-data-added-to-a-CSV-File/m-p/550224#M91376</link>
      <description>&lt;P&gt;Is there no way to create the necessary configuration vua the GUI?&amp;nbsp; I have had a look and tried using the Data Input option, but specified 'Continuously Monitor' instead&amp;nbsp; 'Index Once' as this implied the functionality I was looking for, unfortunately this did not work.&lt;/P&gt;</description>
      <pubDate>Mon, 03 May 2021 12:30:29 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-get-Splunk-to-recognise-new-data-added-to-a-CSV-File/m-p/550224#M91376</guid>
      <dc:creator>pjAstroMan</dc:creator>
      <dc:date>2021-05-03T12:30:29Z</dc:date>
    </item>
    <item>
      <title>Re: How to get Splunk to recognise new data added to a CSV File.</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-get-Splunk-to-recognise-new-data-added-to-a-CSV-File/m-p/550237#M91378</link>
      <description>&lt;P&gt;As a user new to Splunk, I suggest you review &lt;A href="https://www.splunk.com/en_us/training/videos/all-videos.html" target="_self"&gt;the video on getting data into Splunk Enterprise&lt;/A&gt;&amp;nbsp; for the general approach to monitor a directory using the UI.&lt;/P&gt;&lt;P&gt;There are a myriad of ways to go about getting data into Splunk. For historic data, you would normally not choose a monitor, since you don't expect historic files to be updated. Since the UI imposes a 500MB limit on uploaded files, you can use the CLI and the &lt;A href="https://docs.splunk.com/Documentation/Splunk/8.1.3/Data/MonitorfilesanddirectoriesusingtheCLI#Example_4:_Upload_a_file" target="_self"&gt;oneshot or spool&lt;/A&gt; commands for a one-time ingest.&lt;/P&gt;&lt;P&gt;If you want to explore configuring file monitoring, please review &lt;A href="https://docs.splunk.com/Documentation/Splunk/8.1.3/Data/Monitorfilesanddirectorieswithinputs.conf" target="_self"&gt;this&amp;nbsp;&lt;/A&gt;part of our documentation, which contains example settings.&lt;/P&gt;&lt;P&gt;One note regarding old data: There are some settings that control how far back of a timestamp Splunk will consider valid. Specifically, MAX_DAYS_AGO is used to discard data that is older than a set amount of time. This defaults to 2000 days, so you may have to adjust this for data older than ~5.5 years.&lt;/P&gt;</description>
      <pubDate>Mon, 03 May 2021 15:59:41 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-get-Splunk-to-recognise-new-data-added-to-a-CSV-File/m-p/550237#M91378</guid>
      <dc:creator>s2_splunk</dc:creator>
      <dc:date>2021-05-03T15:59:41Z</dc:date>
    </item>
    <item>
      <title>Re: How to get Splunk to recognise new data added to a CSV File.</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-get-Splunk-to-recognise-new-data-added-to-a-CSV-File/m-p/550240#M91380</link>
      <description>&lt;P&gt;Hi there, I have read through the documentation you have suggested.&amp;nbsp; As I have no experience of working under the 'Splunk hood' so to speak I am reluctant to start manually editing files.&amp;nbsp; &amp;nbsp;This strikes me as functionality that should be availabel via a GUI.&amp;nbsp;&amp;nbsp; I guess I am a bit surprised that I would need to resort to manually editing a file in order to get Splunk to recognise new data.&amp;nbsp;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Paul.&lt;/P&gt;</description>
      <pubDate>Mon, 03 May 2021 16:09:54 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-get-Splunk-to-recognise-new-data-added-to-a-CSV-File/m-p/550240#M91380</guid>
      <dc:creator>pjAstroMan</dc:creator>
      <dc:date>2021-05-03T16:09:54Z</dc:date>
    </item>
    <item>
      <title>Re: How to get Splunk to recognise new data added to a CSV File.</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-get-Splunk-to-recognise-new-data-added-to-a-CSV-File/m-p/550242#M91381</link>
      <description>&lt;P&gt;You don't need to resort to the command line to do what you want to do; apologies if it sounded like that's a must. Splunk's primary purpose is to ingest data on an ongoing basis, for which the &lt;EM&gt;monitor&lt;/EM&gt; approach is exactly the right thing to do.&lt;/P&gt;&lt;P&gt;Your use case is about loading large amounts of historical data and there are some product features available to support one-time ingest that are not exposed via the UI.&lt;/P&gt;&lt;P&gt;I would suggest you try to configure a monitor input on the directory containing your files. Follow the UI process as shown in the video I linked and instead of selecting a file, select a directory on your Splunk server. Once you have done that, copying/moving files into that directory should cause them to be indexed into Splunk.&amp;nbsp;&lt;/P&gt;&lt;P&gt;If that doesn't work for you, please respond and we can troubleshoot from there.&lt;/P&gt;</description>
      <pubDate>Mon, 03 May 2021 16:21:05 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-get-Splunk-to-recognise-new-data-added-to-a-CSV-File/m-p/550242#M91381</guid>
      <dc:creator>s2_splunk</dc:creator>
      <dc:date>2021-05-03T16:21:05Z</dc:date>
    </item>
    <item>
      <title>Re: How to get Splunk to recognise new data added to a CSV File.</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-get-Splunk-to-recognise-new-data-added-to-a-CSV-File/m-p/550244#M91382</link>
      <description>&lt;P&gt;Yep, just stumbled across the functionality you suggested, thank you very much for your assistance, much appreciated.&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;&lt;P&gt;Paul.&lt;/P&gt;</description>
      <pubDate>Mon, 03 May 2021 16:34:08 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-get-Splunk-to-recognise-new-data-added-to-a-CSV-File/m-p/550244#M91382</guid>
      <dc:creator>pjAstroMan</dc:creator>
      <dc:date>2021-05-03T16:34:08Z</dc:date>
    </item>
  </channel>
</rss>

