Hi Splunkers,
I had two questions with regards to the universal forwarder and a csv file.
1. Is it possible to configure the universal forwarder to forward a file at 11PM every night irrespective of whether the file has changed or not. (I understand that the whole file will be forwarded each night)
2. How can I force the universal forwarder to resend the whole file ? Can changing the timestamp do the trick ?
Thanks,
Termcap
1. There is no such feature. If you have a compelling use case for it, submit it at https://ideas.splunk.com.
2. Changing the timestamp may make Splunk take another look at the file, but it quickly will realize it's processed it before and refuse to do so again. To get a UF to re-process a file you must make it forget it's done so already by deleting the fishbucket. See https://docs.splunk.com/Documentation/Splunk/8.1.1/Troubleshooting/CommandlinetoolsforusewithSupport...
1. There is no such feature. If you have a compelling use case for it, submit it at https://ideas.splunk.com.
2. Changing the timestamp may make Splunk take another look at the file, but it quickly will realize it's processed it before and refuse to do so again. To get a UF to re-process a file you must make it forget it's done so already by deleting the fishbucket. See https://docs.splunk.com/Documentation/Splunk/8.1.1/Troubleshooting/CommandlinetoolsforusewithSupport...
What you have stated is the default behavior of the UF.
I was I was able to get the UF to re-process the whole file by adding random junk characters and enabling the crcSalt = <SOURCE> for the file.
Then exclude those junk characters using transforms.conf.