Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can crcSalt be applied to a specific subdirectory in a monitored directory?

mthierbel
Explorer
‎12-31-2013 11:55 AM

My inputs.conf is configured to monitor a directory with may different subfolders, and each contains different types of log files. Is there a way I can make crcSalt only apply to a certain subfolder or file type?

For example, here is my inputs.conf entry:

[monitor://c:\var\log\data\]
disabled = false
index = logdata

If I add crcSalt = <SOURCE> here, it will apply to all input files within the c:\var\log\data folder. But what if I only want it to apply to files in the the c:\var\log\data\program subfolder? (I have too many subfolders to define inputs.conf entries for each one).

Is there a way I can make crcSalt only apply to a specific folder or file within my input directory?

Reply
1 Solution
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎01-02-2014 11:24 AM

Without getting into why you want to use crcSalt(which is needed only for very specific use cases), you can't do something like what you're describing at the parent level. As such, you'd need to remove the parent level monitor stanza and configure the monitor stanza's for the children ONLY, otherwise you'll end up with overlapping stanzas, which will result in inputs treated inconsistently, as per the documentation.

So what you'd need to do would be:

[monitor://c:\var\log\data\program1]
disabled = false
index = logdata

[monitor://c:\var\log\data\program2]
disabled = false
crcSalt = <SOURCE>
index = logdata

This is the only way to achieve the configuration you're describing in a manner that will result in reliable behavior.

View solution in original post

Reply
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎01-02-2014 11:24 AM

Without getting into why you want to use crcSalt(which is needed only for very specific use cases), you can't do something like what you're describing at the parent level. As such, you'd need to remove the parent level monitor stanza and configure the monitor stanza's for the children ONLY, otherwise you'll end up with overlapping stanzas, which will result in inputs treated inconsistently, as per the documentation.

So what you'd need to do would be:

[monitor://c:\var\log\data\program1]
disabled = false
index = logdata

[monitor://c:\var\log\data\program2]
disabled = false
crcSalt = <SOURCE>
index = logdata

This is the only way to achieve the configuration you're describing in a manner that will result in reliable behavior.

Reply
Solved! Jump to solution

mthierbel
Explorer
‎01-02-2014 11:31 AM

That's what I figured, but I was hoping there was another way. My environment has so many subfolders, that it would be difficult to maintain separate inputs.conf entries for each of them, which is why I have the recursive parent input.

0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎12-31-2013 12:20 PM

Hello,
If you want to monitor a specific file type you need to give the recursive option from parent directory. This will monitor the file type in all the subfolders.

[monitor://E:\...\foo\*.log]
recursive = true|false
        If set to false, Splunk will not go into subdirectories found within a monitored directory.
        Defaults to true.

If you need to monitor a specific subfolder then you have to mention it or the pattern so splunk understands. Please follow this for the options. I am not sure why would you want to use crcSalt, but in your case it will be crcSalt=Source/Any string.

http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/Specifyinputpathswithwildcards
Reply
Solved! Jump to solution

linu1988
Champion
‎12-31-2013 02:51 PM

Unfortunately you have to make two groups where you want to apply crcSalt and where you dont. May be some other solution may work. You need to match the sub directory pattern through wildcard and put in some effort, but i am not sure how would it be possible to apply it.

0 Karma
Reply
Solved! Jump to solution

mthierbel
Explorer
‎12-31-2013 02:35 PM

In case I was not clear, my input is already recursive and that is intended.

Basically, I want my inputs to be recursive, but crcSalt to not be recursive. For example:

\var\log\data\* NO crcSalt
\var\log\data\program1 YES crcSalt
\var\log\data\program2 NO crcSalt

0 Karma
Reply
Get Updates on the Splunk Community!

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...