Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to configure Splunk to NOT repeatedly read and index old data?

LuiesCui
Communicator
‎02-04-2015 05:47 PM

New to splunk...i need the splunk server to get data from a .log file which is constantly being inserted data. I hope the index will read the new data in the .log file once the new data is inserted. But what happens is the index also read the old data and it makes the index volume too large. How could I solve this problem?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-04-2015 06:56 PM

The difference is that Splunk expects logfiles to be appended to the end. If the file changes anywhere else it's considered to be a new file, and therefore reindexed entirely.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-04-2015 06:56 PM

The difference is that Splunk expects logfiles to be appended to the end. If the file changes anywhere else it's considered to be a new file, and therefore reindexed entirely.

Reply
Solved! Jump to solution

LuiesCui
Communicator
‎02-04-2015 07:13 PM

Is it possible to make splunk read the new data only by changing any configurations?

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎02-04-2015 11:15 PM

No. Splunk works on streams of log data, where it is assumed that whatever data is added comes at the end. Otherwise Splunk would have to somehow keep a record of what the file looked like, do a diff and then grab only stuff that's been added, which would be very resource intensive and lead to all kinds of weird problems.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-04-2015 06:30 PM

That should by default lead to Splunk only reading in new lines from the end.

Do post the configuration you used to read this file.

0 Karma
Reply
Solved! Jump to solution

LuiesCui
Communicator
‎02-04-2015 06:42 PM

sorry the new data are inserted in the middle of the whole file's data cuz there are different parts of data in the file. What's the difference between these situations?

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-04-2015 06:00 PM

Are you appending to the end of the logfile or inserting data somewhere else?

0 Karma
Reply
Solved! Jump to solution

LuiesCui
Communicator
‎02-04-2015 06:25 PM

Appending to the end of the .log

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...