Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure Splunk for input active files?

edrivera3
Builder
‎09-24-2015 02:19 PM

Hi,

I'm already monitoring new files in a directory, but I would like to monitor the changes in the files too. Here is my inputs.conf file. 

[monitor://C:\Users\edlaptop\Documents\logs\*.log]
index = cars
sourcetype = models
crcSalt = <SOURCE>

The format in the above data is just events with timestamp, so I want to upload any new event/log added to the end of file.

[monitor://C:\Users\edlaptop\Documents\conf\*.conf]
index = cars_conf
sourcetype = conf
crcSalt = <SOURCE>

The format of these files is a small list of configuration that sometimes changes. Is there a way to make Splunk update the data? or make Splunk delete the data and automatically upload it again with the new configuration?

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎09-25-2015 01:57 PM

Not sure I understand your question...
[monitor://....] will monitor the specified path/file and continue to do so as data is appended to files. That is the purpose of a monitor input. Do you see a different behavior?

0 Karma
Reply

edrivera3
Builder
‎10-29-2015 03:13 PM

HI

Sorry for taking so much time to respond. At least for second example which is a configuration file the data is being reindexed but I ended up having two files with the same name and same directory. This is not what I want. This is just a configuration file, not a log file, so if this file is modified Splunk should reindexed and replace it for the old one.

...| eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")| stats count by source, indextime

This command showed that the file is simply reindexed and I ended with two files. I still need to check if this behavior is the same for the first example which is a log file.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...