Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

File has not been indexed since 9/1/2010

kmattern
Builder
‎11-03-2010 07:14 PM

Version 4.0.11

I have a number of .CSV files in my log folder on a light forwarder. Unfortunately at least one of them has not been indexed/forwarded since September 1st. Now that I am about to do a major demo I discover this fact.

How do I get splunk to forward/index this file? It changes every morning. There is no header on the file. Today's file looks like this:

AE-327RA-MIB-000.pdf
A1-L18AC-747-200.pdf
AE-325RA-MIB-000.pdf
A1-E6AAB-MRC-100.pdf
A1-AM2BB-SRM-200.pdf
17-600-220-6-2.pdf
17-15R-1.pdf
17-600-220-6-1.pdf
16-35ON655-1.pdf
01-75GAJ-23FI-20-1.pdf
13-1-6-3-1.pdf
01-75GAJ-6.pdf
01-75GAJ-4-79-1.pdf

This list of files is passed into a form where the user can select the file and see when it was downloaded. Since it is not being indexed the user has noting to select from.

Tags (1)
0 Karma
Reply
2 Solutions
Solved! Jump to solution
Solution

southeringtonp
Motivator
‎11-04-2010 01:49 AM

By default, Splunk is going to look at the CRC values of the beginning and end of the file. If your file does not change much, this may not be enough.

Assuming the filename is always the same, the simplest solution is to look solely at the timestamp instead. In props.conf:

[source:///path/to/yoursourcefile]
CHECK_METHOD = modtime

This will cause Splunk to re-index the file every time the modification timestamp changes, rather than looking at the content.

If the filename changes, the crcSalt option in inputs.conf is another possibility.

You can also look at this link if you want to dig deeper into the root cause - there are some debugging options that can be turned on to provide more information:
     http://www.splunk.com/wiki/Community:Troubleshooting_Monitor_Inputs

View solution in original post

Reply
Solved! Jump to solution
Solution

kmattern
Builder
‎11-05-2010 03:16 PM

It still didn't work for all the files. In checking the software that creates the files I found a bug that prevented all but one file from being updated. Patched the software and now it works just fine. I still like setting the CHECK_METHOD = modtime just to insure the files will be indexed.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kmattern
Builder
‎11-05-2010 03:16 PM

It still didn't work for all the files. In checking the software that creates the files I found a bug that prevented all but one file from being updated. Patched the software and now it works just fine. I still like setting the CHECK_METHOD = modtime just to insure the files will be indexed.

0 Karma
Reply
Solved! Jump to solution
Solution

southeringtonp
Motivator
‎11-04-2010 01:49 AM

By default, Splunk is going to look at the CRC values of the beginning and end of the file. If your file does not change much, this may not be enough.

Assuming the filename is always the same, the simplest solution is to look solely at the timestamp instead. In props.conf:

[source:///path/to/yoursourcefile]
CHECK_METHOD = modtime

This will cause Splunk to re-index the file every time the modification timestamp changes, rather than looking at the content.

If the filename changes, the crcSalt option in inputs.conf is another possibility.

You can also look at this link if you want to dig deeper into the root cause - there are some debugging options that can be turned on to provide more information:
     http://www.splunk.com/wiki/Community:Troubleshooting_Monitor_Inputs

Reply
Solved! Jump to solution

kmattern
Builder
‎11-04-2010 01:19 PM

Thanks. That was just what I needed!

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...