Solved: Re: Issue with indexing multiple files from same f...

k_harini · ‎10-23-2017

Hi,
I would like to index files into different indexes which are residing in same folder. I did whitelisting. But only first file in folder got indexed successfully. Other 2 files are not indexed.

[monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\]
disabled = false
index = aof_prime_idx
sourcetype = aof_tm_source
whitelist = (prime.*\.csv)
crcSalt = <SOURCE>

[monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\]
disabled = false
index = aof_architect_idx
sourcetype = aof_tm_source
whitelist = (Architect.*\.csv)
crcSalt = <SOURCE>

[monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\]
disabled = false
index = aof_archade_idx
sourcetype = aof_tm_source
whitelist = (archade.*\.csv)
crcSalt = <SOURCE>

what could be the reason. ? How can i achieve this in a different way? please provide some pointers

harsmarvania57 · ‎10-23-2017

Hi @k_harini,

When you define multiple monitor stanza with same directory path in inputs.conf, Splunk will consider only one monitor stanza.

In your case you can configure inputs.conf as below

 [monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\prime.*.csv]
 disabled = false
 index = aof_prime_idx
 sourcetype = aof_tm_source
 crcSalt = <SOURCE>

 [monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\Architect.*.csv]
 disabled = false
 index = aof_architect_idx
 sourcetype = aof_tm_source
 crcSalt = <SOURCE>

 [monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\archade.*.csv]
 disabled = false
 index = aof_archade_idx
 sourcetype = aof_tm_source
 crcSalt = <SOURCE>

View solution in original post

harsmarvania57 · ‎10-23-2017

Hi @k_harini,

When you define multiple monitor stanza with same directory path in inputs.conf, Splunk will consider only one monitor stanza.

In your case you can configure inputs.conf as below

 [monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\prime.*.csv]
 disabled = false
 index = aof_prime_idx
 sourcetype = aof_tm_source
 crcSalt = <SOURCE>

 [monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\Architect.*.csv]
 disabled = false
 index = aof_architect_idx
 sourcetype = aof_tm_source
 crcSalt = <SOURCE>

 [monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\archade.*.csv]
 disabled = false
 index = aof_archade_idx
 sourcetype = aof_tm_source
 crcSalt = <SOURCE>

k_harini · ‎10-24-2017

This worked with some slight modifications. Thanks!

zanb · ‎02-03-2019

What were your modifications? Please post details of solutions, as "this worked with some slight modifications" helps no one else with the same issue! Thank you!

k_harini · ‎10-23-2017

Thanks a lot. I will try this now

k_harini · ‎10-24-2017

This did not work.. none of files got indexed 😞

lloydknight · ‎10-23-2017

Hello @k_harini

May I ask if what are you trying achieve?

try changing the sourcetype name per index.

Issue with indexing multiple files from same folder

Meet Duke Cyberwalker | A hero’s journey with Splunk

The Future of Splunk Search is Here - See What’s New!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today