Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to configure Splunk for input active files?

edrivera3
Builder
‎09-24-2015 02:19 PM

Hi,

I'm already monitoring new files in a directory, but I would like to monitor the changes in the files too. Here is my inputs.conf file. 

[monitor://C:\Users\edlaptop\Documents\logs\*.log]
index = cars
sourcetype = models
crcSalt = <SOURCE>

The format in the above data is just events with timestamp, so I want to upload any new event/log added to the end of file.

[monitor://C:\Users\edlaptop\Documents\conf\*.conf]
index = cars_conf
sourcetype = conf
crcSalt = <SOURCE>

The format of these files is a small list of configuration that sometimes changes. Is there a way to make Splunk update the data? or make Splunk delete the data and automatically upload it again with the new configuration?

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎09-25-2015 01:57 PM

Not sure I understand your question...
[monitor://....] will monitor the specified path/file and continue to do so as data is appended to files. That is the purpose of a monitor input. Do you see a different behavior?

0 Karma
Reply

edrivera3
Builder
‎10-29-2015 03:13 PM

HI

Sorry for taking so much time to respond. At least for second example which is a configuration file the data is being reindexed but I ended up having two files with the same name and same directory. This is not what I want. This is just a configuration file, not a log file, so if this file is modified Splunk should reindexed and replace it for the old one.

...| eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")| stats count by source, indextime

This command showed that the file is simply reindexed and I ended with two files. I still need to check if this behavior is the same for the first example which is a log file.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Are you ready to take your threat hunting skills to the next level? As Splunk community members, you know the ...

Splunk ITSI & Correlated Network Visibility

  Now On Demand   Take Your Network Visibility to the Next Level In today’s complex IT environments, ...

Community Content Calendar, August edition

In the dynamic world of cybersecurity, staying ahead means constantly solving new puzzles and optimizing your ...
Top