And you are sure that your [monitor] stanza is correct? If you are not seeing any log files, that might be the issue.

ok so time configuration in props is about how it pulls the timestamp from an event. Its not related to how Splunk handles rolled logs, thats done by the CRC of the first 256 bytes of a file (or something like that. Try crcSalt = in your inputs definition for that file, it will force it to use the filename as the crcsalt which will always be unique as long as its a unique filename

I believe timestamps in correlation with rolling based logs is the problem, right?

I don't think Splunk will index rolling based logs without specifying its timestamps, but thats essentially what I'm asking.

I need a way for Splunk to receive rolling based log data, and I'm pretty sure I need to specify that somehow, but I'm not exactly sure except that CRC attributes look like its more for headers within the log, and not being able to specify the log files timestamps.

Sorry for any confusion 🙂

hmm, I'm not sure if you're confusing problems here? Setting the timestamp stuff may be useful if you're having issues with timestamps. But is that the problem? I thought the issue is indexing/reindexing files? You don't need to configure a CRC value as there is a default, if you want it to read every file you can set the crcsalt to to use the filename as the CRC but you would need to clear your data everywhere otherwise you'll end up with duplicates

It seems like the CRC attributes would be good to use if a log had headers.

I have an easy name=value format that Splunk can auto-extract the data from..so what about using something like a props.conf and configuring time parameters (TIME_PREFIX, TIME_FORMAT, MAX_TIMESTAMP_LOOKAHEAD) that may be useful in my case.

If I set up the props.conf, would I still need to set up a CRC attribute in the inputs.conf?

Thanks!

Ah, once you've consumed a file Splunk won't re-read it, even if you add a new output. On the forwarder you'll need to run a command, splunk clean eventdata. This will delete all its internal "trackers" of what it has and has't read. This will cause it to re-send everything. So if you do this remember to run the same command on your indexers so you don't end up with duplicate data... its a bit of a clean everything and start again approach. Also bear in mind that on a UF that command will reset the admin password to default, thats not the case with an indexer

Thanks for the quick response!

I've just recently installed a forwarder and configured this server to start sending its data to Splunk. I've gotten the dev server to index its data, but prod seems to be a different story.

I'll take a look at this documentation,
Thanks