Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

File monitoring With an interval

ninisimonishvil
Path Finder
‎05-20-2018 11:23 PM

Hello everyone.

I have an issue regarding monitoring files in a directory.

The thing is that in order events to be broken correctly the file must be first populated, so splunk must wait until it starts indexing that file. I created a stanza :

[monitor://C:\Program Files\mypath*]
disabled = false
index = default
sourcetype = mysourcetype
crcSalt = <SOURCE>
time_before_close = 900
multiline_event_extra_waittime = true

I set time_before_close to 15 minutes and multiline_event_extra_waittime to true, however, after trying this out, I see that splunk still does not wait for those 15 minutes to index the populated file and therefore does event breaking in a wrong way.

any suggestions?

0 Karma
Reply

ansif
Motivator
‎06-08-2018 05:42 AM

Restarted splunk service once updated inputs.conf file?

0 Karma
Reply

jchivian
Explorer
‎06-08-2018 07:56 AM

If the files are opened and written to continuously (like /var/log/messages) then you don't need the time_before_close or multiline_event_before_close, just correctly define the LINE_BREAKER and be done with it.

If the files are opened empty, slowly populated, and then closed never to be touched again, then you could modify the process such that they are created and populated with a temporary name, and then when closed are moved, copied, or renamed to something matching the monitoring criteria.

It's the age old problem when you disassociate the processes that create and require the results.

Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...