I was able to replicate your requirement with the following (simply replace hour = 12 with hour = 19 and then specify the name of your csv):
| stats count | addinfo | eval hour = strftime(info_search_time, "%H") | eval minutes = strftime(info_search_time, "%M") | where hour = 12 AND minutes < 30 | map search="| inputcsv mycsv.csv"
No I don't want to filter it from the search head I want to apply some config.
The reason is when Splunk trying to read a file it is not allowing the jobs to update the same file... it is telling that the file is already using by Splunk so we can't update the csv. During some period of time lets say 7pm to 7:30pm no jobs will be running so I can easily read the file.
Are you sure that splunk is the problem? Very rare, splunk is prepared to read files while they are updated.
Yeah I know but in this case this is the only solution and even I have another same requirement also,
I want the solution as stated in my query.
Have you thought in a cron script to change the permissions of the file to control the access to splunk user?
I dont see other solution
Hi thippeshaj, Generally there isn't any configuration for a monitor stanza to prompt it to stop/start reading at certain times. One workaround would be to create a scheduled task to disable/enable to the monitor stanza for this input at specific times of the day. You could edit the configuration file directly with a script, or use the Splunk commandline to disable/enable the input. http://docs.splunk.com/Documentation/Splunk/latest/Admin/CLIadmincommands
Alternatively you might have luck with "monitorNoHandle" type input as described in the inputs.conf spec http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf . This type of input just monitors for file writes, and doesn't maintain a handle on the actual file, which sounds to be something related to the original issue.
Please let me know if this answers your question!