Hi,
I would like to index files into different indexes which are residing in same folder. I did whitelisting. But only first file in folder got indexed successfully. Other 2 files are not indexed.
[monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\]
disabled = false
index = aof_prime_idx
sourcetype = aof_tm_source
whitelist = (prime.*\.csv)
crcSalt = <SOURCE>
[monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\]
disabled = false
index = aof_architect_idx
sourcetype = aof_tm_source
whitelist = (Architect.*\.csv)
crcSalt = <SOURCE>
[monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\]
disabled = false
index = aof_archade_idx
sourcetype = aof_tm_source
whitelist = (archade.*\.csv)
crcSalt = <SOURCE>
what could be the reason. ? How can i achieve this in a different way? please provide some pointers
Hi @k_harini,
When you define multiple monitor stanza with same directory path in inputs.conf, Splunk will consider only one monitor stanza.
In your case you can configure inputs.conf as below
[monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\prime.*.csv]
disabled = false
index = aof_prime_idx
sourcetype = aof_tm_source
crcSalt = <SOURCE>
[monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\Architect.*.csv]
disabled = false
index = aof_architect_idx
sourcetype = aof_tm_source
crcSalt = <SOURCE>
[monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\archade.*.csv]
disabled = false
index = aof_archade_idx
sourcetype = aof_tm_source
crcSalt = <SOURCE>
Hi @k_harini,
When you define multiple monitor stanza with same directory path in inputs.conf, Splunk will consider only one monitor stanza.
In your case you can configure inputs.conf as below
[monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\prime.*.csv]
disabled = false
index = aof_prime_idx
sourcetype = aof_tm_source
crcSalt = <SOURCE>
[monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\Architect.*.csv]
disabled = false
index = aof_architect_idx
sourcetype = aof_tm_source
crcSalt = <SOURCE>
[monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\archade.*.csv]
disabled = false
index = aof_archade_idx
sourcetype = aof_tm_source
crcSalt = <SOURCE>
This worked with some slight modifications. Thanks!
What were your modifications? Please post details of solutions, as "this worked with some slight modifications" helps no one else with the same issue! Thank you!
Thanks a lot. I will try this now
This did not work.. none of files got indexed 😞
Hello @k_harini
May I ask if what are you trying achieve?
try changing the sourcetype name per index.