Archive

Splunk config help to completely reindex a file

Path Finder

Im my case , i want a file to be completely reindex irrespective of the changes made at the first, middle or at the bottom of the file.

When changes are made at bottom of the file , like adding 2 lines at the bottom , i want splunk to consider it as a new file and reindex the the complete file instead of adding only 2 lines to the index

Here the file name will not be changed, only data inside the file will be updated.

I have tried crcSalt = < SOURCE> in my inputs.conf , but it didnt work

is there any way to make splunk to reindex the file again?

0 Karma

Motivator

Hello there @NAVEEN_CTS

Have u try this?

[sourcetype]
 CHECK_METHOD = entire_md5
...
0 Karma

Path Finder

Where should i add this? inputs.conf or props.conf ?

Currently my set up is like UF --> HF--> IDX

I do some extraction at HF using the sourcetype.

0 Karma

Motivator

props.conf in the UF

0 Karma

Path Finder

@alemarzu It didnt help as well....same result

0 Karma

Motivator

I see, u should probably have to apply that settings over your source rather than sourcetype.
[source::PATH_FILE]
CHECK_METHOD = entire_md5

0 Karma

Path Finder

Hi @alemarzu , Still it didn't work

My config is as below, only new changes are getting indexed , entire file is not getting re-indexed again

My inputs.conf
[monitor:///apps/input/local/app_name/filename.txt]
index = test
sourcetype = test

My Props.conf
[source::///apps/input/local/app_name/filename.txt]
CHECK_METHOD = entire_md5

0 Karma