Solved: Re: Add monitor file with new index not working

tanglong · ‎08-14-2019

Hello,

I have problem with Splunk Forwarder.

Currently, i monitor a dir (/var/log/httpd/*) but it automatic delete old log and insert new log. Index default is "main".

I want to store with new index name "weblog", i have do:
- Step 1: delete all log httpd with search query: "source=httpd | delete"
- Step 2: remove old monitoring and add new: ./splunk add monitor "/var/log/httpd/*" -index weblog -sourcetype newsource

But it not working.

I use command below it working but not define new index: ./splunk add monitor "/var/log/httpd/*" -sourcetype newsource

Can you help me resolve my problem?
Thanks.

gcusello · ‎08-14-2019

Hi tanglong,
when you already ingested logs from a file you cannot ingest them again, also renaming the file.
To do this you have to use a workaround:

delete the old logs from the main index using the delete command, remember that only special users (can_delete role) can delete logs, this step isn't mandatory;
create the new index weblog on Indexer
modify inputs.conf on Forwarder adding the option index = weblog to inputs.conf;
modify inputs.conf on Forwarder adding the option crcSalt = <SOURCE> to inputs.conf;
restart Forwarder;
after the logs are reindexed delete the crcSalt = <SOURCE> row from inputs.conf and restart Forwarder.

In this way logs are reindexed and sent to the new index.

Remember that if you add the can_delete role to you admin user, it's a good idea disable this feature as soon as after the deletion, it isn't a good idea to have this feature enabled.

Bye.
Giuseppe

View solution in original post

tanglong · ‎08-15-2019

Thanks for all comment, its helpful with me. Very important keyword.

Its show on Indexer.

This is config inputs.conf and "weblog" sourcetype not show in Splunk main page.

Anyway to help me? Thanks so much!

woodcock · ‎08-14-2019

The fishbucket on the forwarder will remember that this file has already been forwarded and will refuse to forward it again. You can either:
1: Clear the fishbucket for this file.
2: Manually send the file using splunk add oneshot.
Also, do not use the CLI to configure ANYTHING in Splunk. You should create your own forwarder app and put your configurations in that.

gcusello · ‎08-14-2019

Hi tanglong,
when you already ingested logs from a file you cannot ingest them again, also renaming the file.
To do this you have to use a workaround:

delete the old logs from the main index using the delete command, remember that only special users (can_delete role) can delete logs, this step isn't mandatory;
create the new index weblog on Indexer
modify inputs.conf on Forwarder adding the option index = weblog to inputs.conf;
modify inputs.conf on Forwarder adding the option crcSalt = <SOURCE> to inputs.conf;
restart Forwarder;
after the logs are reindexed delete the crcSalt = <SOURCE> row from inputs.conf and restart Forwarder.

In this way logs are reindexed and sent to the new index.

Remember that if you add the can_delete role to you admin user, it's a good idea disable this feature as soon as after the deletion, it isn't a good idea to have this feature enabled.

Bye.
Giuseppe

DavidHourani · ‎08-14-2019

Are you trying to re-ingest the same data ?

Add monitor file with new index not working

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!