Getting Data In
Highlighted

Is there any way to tell Splunk to read a file(csv) in a particular period of time ?

Explorer

Is there any way to tell Splunk to read a file(csv) in a particular period of time ?

Splunk should read a file only from 07:00PM to 07:30PM

Please let me know if any way to do it.

0 Karma
Highlighted

Re: Is there any way to tell Splunk to read a file(csv) in a particular period of time ?

SplunkTrust
SplunkTrust

Hi,

I was able to replicate your requirement with the following (simply replace hour = 12 with hour = 19 and then specify the name of your csv):

| stats count
| addinfo
| eval hour = strftime(info_search_time, "%H")
| eval minutes = strftime(info_search_time, "%M")
| where hour = 12 AND minutes < 30
| map search="| inputcsv mycsv.csv"
0 Karma
Highlighted

Re: Is there any way to tell Splunk to read a file(csv) in a particular period of time ?

Explorer

No I don't want to filter it from the search head I want to apply some config.
The reason is when Splunk trying to read a file it is not allowing the jobs to update the same file... it is telling that the file is already using by Splunk so we can't update the csv. During some period of time lets say 7pm to 7:30pm no jobs will be running so I can easily read the file.

0 Karma
Highlighted

Re: Is there any way to tell Splunk to read a file(csv) in a particular period of time ?

Builder

Hi,

Are you sure that splunk is the problem? Very rare, splunk is prepared to read files while they are updated.

0 Karma
Highlighted

Re: Is there any way to tell Splunk to read a file(csv) in a particular period of time ?

Explorer

Hi,
Yeah I know but in this case this is the only solution and even I have another same requirement also,
I want the solution as stated in my query.

0 Karma
Highlighted

Re: Is there any way to tell Splunk to read a file(csv) in a particular period of time ?

Builder

Hi,

Have you thought in a cron script to change the permissions of the file to control the access to splunk user?

I dont see other solution

0 Karma
Highlighted

Re: Is there any way to tell Splunk to read a file(csv) in a particular period of time ?

SplunkTrust
SplunkTrust

Hi thippeshaj, Generally there isn't any configuration for a monitor stanza to prompt it to stop/start reading at certain times. One workaround would be to create a scheduled task to disable/enable to the monitor stanza for this input at specific times of the day. You could edit the configuration file directly with a script, or use the Splunk commandline to disable/enable the input. http://docs.splunk.com/Documentation/Splunk/latest/Admin/CLIadmincommands

Alternatively you might have luck with "monitorNoHandle" type input as described in the inputs.conf spec http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf . This type of input just monitors for file writes, and doesn't maintain a handle on the actual file, which sounds to be something related to the original issue.

Please let me know if this answers your question!

View solution in original post

0 Karma
Highlighted

Re: Is there any way to tell Splunk to read a file(csv) in a particular period of time ?

Esteemed Legend
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.