Getting Data In

Configure inputs.conf to reindex file every time modification time changes?

horsefez
Motivator

Hi fellow splunkers,

I want to know if I can somehow define a monitor-stanza that reindexes a file (entirely reindexes) each and everytime if the modification time is changed.
So far I found the parameters crcSalt and initCrcLength, but not sure how to use them correctly.

Has anyone an idea how to configure this the right way?

Thanks for your help!

Best regards,
pyro_wood

0 Karma
1 Solution

ddrillic
Ultra Champion
0 Karma

ddrillic
Ultra Champion

A great thread about it at How to reindex data from a forwarder

It says -

alt text

0 Karma

horsefez
Motivator

Cool, thanks ddrillic! 🙂

0 Karma

somesoni2
Revered Legend

How big is the file?

0 Karma

horsefez
Motivator

Hi somesoni2,
I try indexing the splunk.conf files so someone outside of splunk gets alerted when there is a change to them.
I don't think those files are big if it boils down to size.

0 Karma

TStrauch
Communicator

Hi pyro_wood,

i hope this answer will help you. You can set the check_method in props.conf source stanza, to achieve your solution.

https://answers.splunk.com/answers/61006/file-system-monitoring-of-text-files-that-are-overwritten.h...

regards

0 Karma

horsefez
Motivator

Thanks! 🙂
But the docs you are refering to are very old and not relevant anymore

0 Karma

TStrauch
Communicator

Hi, the props.conf link refers to the latest version of props.conf 😉 and the postet link props.conf and inputs.conf do the same 😉

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...