Solved: Index only new lines

grivera_kudaw · ‎06-27-2018

Hi.

I have a requirement of a client, he has a file that indexes every day, but that file is modified at different times, for example modifications to lines 8 and 10000 at 20:00hrs, after modifications of lines 2 and 10100 at 22:00 hrs , Is it possible to index only the lines that have been modified?, at 2:00 am the file not change more.

FrankVl · ‎06-27-2018

No, Splunk cannot be configured to monitor individual changes inside a file. Just the entire file, or new lines at the end of a file.

So the only way to do this would be to write some kind of script that detects the changes and writes those to a new file that is monitored by Splunk.

View solution in original post

FrankVl · ‎06-27-2018

No, Splunk cannot be configured to monitor individual changes inside a file. Just the entire file, or new lines at the end of a file.

So the only way to do this would be to write some kind of script that detects the changes and writes those to a new file that is monitored by Splunk.

Index only new lines

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation