Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to set continuous monitoring of an input file so that it gets indexed as the file gets updated?

surekhasplunk
Communicator
‎11-10-2016 09:06 AM

Hi,

I have Splunk installed on my local Windows machine.
From Splunk Web url, am doing below steps
Settings -> Add data -> Monitor Data ->Add sourcetype add index and submit

Data is coming from the xlsheet correctly under correct index and sourcetype, but problem is when the xlsheet file changes the changed data doesn't come up until i add the same file again from data inputs and do the same steps again.

Can someone please help on how to get the data indexed in Splunk as soon as the input file gets updated.

Thanks

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-11-2016 03:01 AM

Hi surekhasplunk ,
when you say "xlsheet file changes" do you mean that there are additional lines on the top of the file or that any cells are changed?
Because the changed cells aren't taken by new loads, you can only load the new lines.
If you want to take changes, you have to reload the entire file and manage duplicates with dedup command; if you do this, remember to insert in your inputs.conf stanza the crcSalt= option.

Bye.
Giuseppe

0 Karma
Reply

surekhasplunk
Communicator
‎11-11-2016 03:32 AM

when I say xlsheet changes I mean new rows get added to the bottom of the file.
So if I add this line "crcSalt= option" to inputs.conf file for my input file I need not have to reload again and again right

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-11-2016 07:23 AM

Splunk check the first charachters of a file, if modified take the new lines, could you insert the new lines in the beginning of your file instead the bottom?
Bye.
Giuseppe

0 Karma
Reply

surekhasplunk
Communicator
‎11-11-2016 01:34 AM

Yes off course....

0 Karma
Reply

sk314
Builder
‎11-10-2016 04:46 PM

When you click on Settings->Add Data->Monitor Data->Files & Directories, are you making sure the "Continuously Monitor" setting is selected instead of "Index Once"?

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

  Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...