Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

File monitoring With an interval

ninisimonishvil
Path Finder
‎05-20-2018 11:23 PM

Hello everyone.

I have an issue regarding monitoring files in a directory.

The thing is that in order events to be broken correctly the file must be first populated, so splunk must wait until it starts indexing that file. I created a stanza :

[monitor://C:\Program Files\mypath*]
disabled = false
index = default
sourcetype = mysourcetype
crcSalt = <SOURCE>
time_before_close = 900
multiline_event_extra_waittime = true

I set time_before_close to 15 minutes and multiline_event_extra_waittime to true, however, after trying this out, I see that splunk still does not wait for those 15 minutes to index the populated file and therefore does event breaking in a wrong way.

any suggestions?

0 Karma
Reply

ansif
Motivator
‎06-08-2018 05:42 AM

Restarted splunk service once updated inputs.conf file?

0 Karma
Reply

jchivian
Explorer
‎06-08-2018 07:56 AM

If the files are opened and written to continuously (like /var/log/messages) then you don't need the time_before_close or multiline_event_before_close, just correctly define the LINE_BREAKER and be done with it.

If the files are opened empty, slowly populated, and then closed never to be touched again, then you could modify the process such that they are created and populated with a temporary name, and then when closed are moved, copied, or renamed to something matching the monitoring criteria.

It's the age old problem when you disassociate the processes that create and require the results.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...