Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Configure delay in batch input? time_to_close does not work (v6.0.5)

the_wolverine
Champion
‎03-02-2015 10:07 AM

Batch configured inputs are getting deleted before they can be indexed. I tried configuring time_to_close in inputs.conf but Splunk complains that the configuration is invalid. I'm assuming due to using it with batch vs monitor input.

Is there any other way to delay the deletion of the file? Seems to be Splunk is unable to consume it before the move policy to sinkhole kicks in.

[batch:///data/*.csv]
index=main
sourcetype=csv
move_policy = sinkhole
time_before_close = 300

On restart:

Checking conf files for problems...
    Invalid key in stanza [batch:///data/*.csv] in /opt/splunk/etc/system/local/inputs.conf, line 5: time_before_close  (value:  300)
    Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
0 Karma
Reply

Genti
Splunk Employee
Splunk Employee
‎10-20-2016 11:21 AM

the error doesnt necessarily mean that its not working, rather, that the configuration is not present in the .conf file.
time_before_close does work for a regular input, and it might be the case that it will work for batch too.
try it for a while, and maybe do test it with writing to a file and take a break, and then write again, what's it do?

0 Karma
Reply

jlaigo2
Path Finder
‎09-27-2016 05:31 PM

Was there ever an answer to this?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...