File Monitroring issue- Why did csv file stop gett...

Zacknoid · ‎10-03-2022

facing this issue second time, and tried almost every possible way out in last 2 months, so here is the csv file we're which is getting referesh in every 1 hour, ( it may or may not contain new events )

We observed after few hours file stop getting into splunk and after splunk restart again it start ingesting data.

In the splunkd logs its says ignoring path,

I have tried crcSalt, initCrcLenth but non worked in my case

All i want splunk is to read new file always no matter is there is new events or not, just stay updated with file
( i cannot add counter in file )

richgalloway · ‎10-03-2022

That's not how Splunk works to monitor files. Splunk looks for *new* data because it already has the old data. Completely replacing the file confuses the heck out of the monitor.

If the file is untouched except for the hourly refresh then consider a batch input instead of a monitor. Keep in mind that Splunk will delete the file after ingesting it so this may not be the right choice if the file is needed for other purposes.

Another option is a scripted input. Write a short Python script that reads the file and write it to stdout. Set up that script as a Splunk Scripted Input to run every hour a few minutes after the file is scheduled to refresh. Splunk will ingest everything written to stdout and the file will remain.

---
If this reply helps you, Karma would be appreciated.

File Monitroring issue- Why did csv file stop getting ingested into splunk after few hours?

CSV

index

inputs.conf

other

props.conf

universal forwarder

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM