Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to configure Splunk for input active files?

edrivera3
Builder
‎09-24-2015 02:19 PM

Hi,

I'm already monitoring new files in a directory, but I would like to monitor the changes in the files too. Here is my inputs.conf file. 

[monitor://C:\Users\edlaptop\Documents\logs\*.log]
index = cars
sourcetype = models
crcSalt = <SOURCE>

The format in the above data is just events with timestamp, so I want to upload any new event/log added to the end of file.

[monitor://C:\Users\edlaptop\Documents\conf\*.conf]
index = cars_conf
sourcetype = conf
crcSalt = <SOURCE>

The format of these files is a small list of configuration that sometimes changes. Is there a way to make Splunk update the data? or make Splunk delete the data and automatically upload it again with the new configuration?

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎09-25-2015 01:57 PM

Not sure I understand your question...
[monitor://....] will monitor the specified path/file and continue to do so as data is appended to files. That is the purpose of a monitor input. Do you see a different behavior?

0 Karma
Reply

edrivera3
Builder
‎10-29-2015 03:13 PM

HI

Sorry for taking so much time to respond. At least for second example which is a configuration file the data is being reindexed but I ended up having two files with the same name and same directory. This is not what I want. This is just a configuration file, not a log file, so if this file is modified Splunk should reindexed and replace it for the old one.

...| eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")| stats count by source, indextime

This command showed that the file is simply reindexed and I ended with two files. I still need to check if this behavior is the same for the first example which is a log file.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...