Solved: Re: Configure inputs.conf to reindex file every ti...

horsefez · ‎09-09-2016

Hi fellow splunkers,

I want to know if I can somehow define a monitor-stanza that reindexes a file (entirely reindexes) each and everytime if the modification time is changed.
So far I found the parameters crcSalt and initCrcLength, but not sure how to use them correctly.

Has anyone an idea how to configure this the right way?

Thanks for your help!

Best regards,
pyro_wood

ddrillic · ‎09-11-2016

A great thread about it at How to reindex data from a forwarder

It says -

alt text

View solution in original post

ddrillic · ‎09-11-2016

A great thread about it at How to reindex data from a forwarder

It says -

alt text

horsefez · ‎09-13-2016

Cool, thanks ddrillic! 🙂

somesoni2 · ‎09-09-2016

How big is the file?

horsefez · ‎09-13-2016

Hi somesoni2,
I try indexing the splunk.conf files so someone outside of splunk gets alerted when there is a change to them.
I don't think those files are big if it boils down to size.

TStrauch · ‎09-09-2016

Hi pyro_wood,

i hope this answer will help you. You can set the check_method in props.conf source stanza, to achieve your solution.

https://answers.splunk.com/answers/61006/file-system-monitoring-of-text-files-that-are-overwritten.h...

regards

horsefez · ‎09-09-2016

Thanks! 🙂
But the docs you are refering to are very old and not relevant anymore

TStrauch · ‎09-09-2016

Hi, the props.conf link refers to the latest version of props.conf 😉 and the postet link props.conf and inputs.conf do the same 😉

Configure inputs.conf to reindex file every time modification time changes?

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform