Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure Splunk for input active files?

edrivera3
Builder
‎09-24-2015 02:19 PM

Hi,

I'm already monitoring new files in a directory, but I would like to monitor the changes in the files too. Here is my inputs.conf file. 

[monitor://C:\Users\edlaptop\Documents\logs\*.log]
index = cars
sourcetype = models
crcSalt = <SOURCE>

The format in the above data is just events with timestamp, so I want to upload any new event/log added to the end of file.

[monitor://C:\Users\edlaptop\Documents\conf\*.conf]
index = cars_conf
sourcetype = conf
crcSalt = <SOURCE>

The format of these files is a small list of configuration that sometimes changes. Is there a way to make Splunk update the data? or make Splunk delete the data and automatically upload it again with the new configuration?

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎09-25-2015 01:57 PM

Not sure I understand your question...
[monitor://....] will monitor the specified path/file and continue to do so as data is appended to files. That is the purpose of a monitor input. Do you see a different behavior?

0 Karma
Reply

edrivera3
Builder
‎10-29-2015 03:13 PM

HI

Sorry for taking so much time to respond. At least for second example which is a configuration file the data is being reindexed but I ended up having two files with the same name and same directory. This is not what I want. This is just a configuration file, not a log file, so if this file is modified Splunk should reindexed and replace it for the old one.

...| eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")| stats count by source, indextime

This command showed that the file is simply reindexed and I ended with two files. I still need to check if this behavior is the same for the first example which is a log file.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...