I created a monitor, which should check the local directory with 262 csv files. The whole set of csv files should be indexed in index1. Only 1 file has been indexed. Manual upload and indexing process into index1 of any missed csv file works. If I add any first row into missed csv file, it will be automaticaly indexed into index1. The first row of each csv file is the same (names of columns (attributes)). Can you help me, please?
Did you try indexing using inputs.conf?
[monitor://D:\<your directory>\*.csv] disabled = false index = your_index sourcetype = your_ST interval = 10 crcSalt = <SOURCE>
thank you for your message. I have no access to the file system of the server. It is possible to edit the inputs.conf via gui?
It's equivalent to what you have done.
When you navigate to Data Inputs -> Files & Directories, what is the name of your monitor? Did you mention *.csv from your directory and did you specify your source type as csv?
The name of the monitor is Files & directories. There is column Full path to you data in the list of all monitors. This column is probably the name of the monitor. Right? If yes, than my monitor name is the complet local path of the detected directory. My monitor detected all files in the directory. I can see the number of detected files in the list. When I create the monitor, I choose the csv sourcetype. I have defined index, which should be relevant to this monitor. Should be set any other properties, when I create the monitor?
I have opened one nonindexed csv file in text editor. I added this string: crcSalt = to the header. After saving, the file has been automatically indexed in Splunk without any problem.
Strange. So, Adding crcSalt to all the files resolved your issue?
Recommended approach is to do it through inputs.conf. If possible, you can request edit access to your Splunk servers' %SPLUNK_HOME%\etc\system\local directory so that you can play around with various options with conf files.
If my response helped you, kindly accept and/or upvote it.
I think that you must use inputs.conf and there parameter crcSalt, which define how splunk know if the file is already read or not. Unfortunately there is no way other way than get shell access to server or ask someone else add needed parameters there.