Getting Data In

Index monitored file initially

Path Finder

Hi, it seems like this should be something simple, but I was unable to find this anywhere in the documentation or past questions.

I want the Splunk to index the initial file that I am going to monitor even if the file was not modified. It seems like when I monitor some file, it only gets indexed if a change occurs which is fine. But if I just started monitoring some file, I need to seem some indexed data that I will be able to query.

Here is my current configuration in the input.conf file. Also, this is on a forwarder if that makes any difference.

[monitor://C:\Testing\]
whitelist = config
alwaysOpenFile = 1
disabled = 0
interval = 60
followTail = 0
index = configindex
_TCP_ROUTING = rcvr_9903

Thanks.

Tags (1)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

Splunk has internal tracking of files so that it does not reindex files. You can force Splunk to reindex data by using CRC Salt. If you add the following setting to your stanza, the file will be reindexed:

crcSalt = <SOURCE>

Here is an excerpt from the documentation regarding this setting:

crcSalt = <string>

If set, this string is added to the CRC.
Use this setting to force Splunk to consume files that have matching CRCs.
If set to crcSalt = <SOURCE> (note: This setting is case sensitive), then the full source path is added to the CRC.

We typically do NOT recommend adding this as you will confuse Splunk regarding what files need to be indexed in addition to how much of that file has been indexed.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

Splunk has internal tracking of files so that it does not reindex files. You can force Splunk to reindex data by using CRC Salt. If you add the following setting to your stanza, the file will be reindexed:

crcSalt = <SOURCE>

Here is an excerpt from the documentation regarding this setting:

crcSalt = <string>

If set, this string is added to the CRC.
Use this setting to force Splunk to consume files that have matching CRCs.
If set to crcSalt = <SOURCE> (note: This setting is case sensitive), then the full source path is added to the CRC.

We typically do NOT recommend adding this as you will confuse Splunk regarding what files need to be indexed in addition to how much of that file has been indexed.

View solution in original post

0 Karma

Path Finder

Thanks for you solution, it did work but the alwaysOpenFile setting still has to be enabled. I was hoping to not use this setting since it is said to slow down indexing, but without it crcSalt does not index the file initially. I guess that is ok since the file will only be indexed once a day at most.

I did see the crcSalt setting before but the description did not help me recognize that that is the setting I was looking for.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!