Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

File monitoring With an interval

ninisimonishvil
Path Finder
‎05-20-2018 11:23 PM

Hello everyone.

I have an issue regarding monitoring files in a directory.

The thing is that in order events to be broken correctly the file must be first populated, so splunk must wait until it starts indexing that file. I created a stanza :

[monitor://C:\Program Files\mypath*]
disabled = false
index = default
sourcetype = mysourcetype
crcSalt = <SOURCE>
time_before_close = 900
multiline_event_extra_waittime = true

I set time_before_close to 15 minutes and multiline_event_extra_waittime to true, however, after trying this out, I see that splunk still does not wait for those 15 minutes to index the populated file and therefore does event breaking in a wrong way.

any suggestions?

0 Karma
Reply

ansif
Motivator
‎06-08-2018 05:42 AM

Restarted splunk service once updated inputs.conf file?

0 Karma
Reply

jchivian
Explorer
‎06-08-2018 07:56 AM

If the files are opened and written to continuously (like /var/log/messages) then you don't need the time_before_close or multiline_event_before_close, just correctly define the LINE_BREAKER and be done with it.

If the files are opened empty, slowly populated, and then closed never to be touched again, then you could modify the process such that they are created and populated with a temporary name, and then when closed are moved, copied, or renamed to something matching the monitoring criteria.

It's the age old problem when you disassociate the processes that create and require the results.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...