Getting Data In

Can crcSalt be applied to a specific subdirectory in a monitored directory?

mthierbel
Explorer

My inputs.conf is configured to monitor a directory with may different subfolders, and each contains different types of log files. Is there a way I can make crcSalt only apply to a certain subfolder or file type?

For example, here is my inputs.conf entry:

[monitor://c:\var\log\data\]
disabled = false
index = logdata

If I add crcSalt = <SOURCE> here, it will apply to all input files within the c:\var\log\data folder. But what if I only want it to apply to files in the the c:\var\log\data\program subfolder? (I have too many subfolders to define inputs.conf entries for each one).

Is there a way I can make crcSalt only apply to a specific folder or file within my input directory?

1 Solution

jbsplunk
Splunk Employee
Splunk Employee

Without getting into why you want to use crcSalt(which is needed only for very specific use cases), you can't do something like what you're describing at the parent level. As such, you'd need to remove the parent level monitor stanza and configure the monitor stanza's for the children ONLY, otherwise you'll end up with overlapping stanzas, which will result in inputs treated inconsistently, as per the documentation.

So what you'd need to do would be:

[monitor://c:\var\log\data\program1]
disabled = false
index = logdata

[monitor://c:\var\log\data\program2]
disabled = false
crcSalt = <SOURCE>
index = logdata

This is the only way to achieve the configuration you're describing in a manner that will result in reliable behavior.

View solution in original post

jbsplunk
Splunk Employee
Splunk Employee

Without getting into why you want to use crcSalt(which is needed only for very specific use cases), you can't do something like what you're describing at the parent level. As such, you'd need to remove the parent level monitor stanza and configure the monitor stanza's for the children ONLY, otherwise you'll end up with overlapping stanzas, which will result in inputs treated inconsistently, as per the documentation.

So what you'd need to do would be:

[monitor://c:\var\log\data\program1]
disabled = false
index = logdata

[monitor://c:\var\log\data\program2]
disabled = false
crcSalt = <SOURCE>
index = logdata

This is the only way to achieve the configuration you're describing in a manner that will result in reliable behavior.

mthierbel
Explorer

That's what I figured, but I was hoping there was another way. My environment has so many subfolders, that it would be difficult to maintain separate inputs.conf entries for each of them, which is why I have the recursive parent input.

0 Karma

linu1988
Champion

Hello,
If you want to monitor a specific file type you need to give the recursive option from parent directory. This will monitor the file type in all the subfolders.

[monitor://E:\...\foo\*.log]
recursive = true|false
        If set to false, Splunk will not go into subdirectories found within a monitored directory.
        Defaults to true. 

If you need to monitor a specific subfolder then you have to mention it or the pattern so splunk understands. Please follow this for the options. I am not sure why would you want to use crcSalt, but in your case it will be crcSalt=Source/Any string.

http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/Specifyinputpathswithwildcards

linu1988
Champion

Unfortunately you have to make two groups where you want to apply crcSalt and where you dont. May be some other solution may work. You need to match the sub directory pattern through wildcard and put in some effort, but i am not sure how would it be possible to apply it.

0 Karma

mthierbel
Explorer

In case I was not clear, my input is already recursive and that is intended.

Basically, I want my inputs to be recursive, but crcSalt to not be recursive. For example:

\var\log\data\* NO crcSalt
\var\log\data\program1 YES crcSalt
\var\log\data\program2 NO crcSalt

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...