Getting Data In

Issue with indexing multiple files from same folder

k_harini
Communicator

Hi,
I would like to index files into different indexes which are residing in same folder. I did whitelisting. But only first file in folder got indexed successfully. Other 2 files are not indexed.

[monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\]
disabled = false
index = aof_prime_idx
sourcetype = aof_tm_source
whitelist = (prime.*\.csv)
crcSalt = <SOURCE>

[monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\]
disabled = false
index = aof_architect_idx
sourcetype = aof_tm_source
whitelist = (Architect.*\.csv)
crcSalt = <SOURCE>

[monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\]
disabled = false
index = aof_archade_idx
sourcetype = aof_tm_source
whitelist = (archade.*\.csv)
crcSalt = <SOURCE>

what could be the reason. ? How can i achieve this in a different way? please provide some pointers

Tags (1)
0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi @k_harini,

When you define multiple monitor stanza with same directory path in inputs.conf, Splunk will consider only one monitor stanza.

In your case you can configure inputs.conf as below

 [monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\prime.*.csv]
 disabled = false
 index = aof_prime_idx
 sourcetype = aof_tm_source
 crcSalt = <SOURCE>

 [monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\Architect.*.csv]
 disabled = false
 index = aof_architect_idx
 sourcetype = aof_tm_source
 crcSalt = <SOURCE>

 [monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\archade.*.csv]
 disabled = false
 index = aof_archade_idx
 sourcetype = aof_tm_source
 crcSalt = <SOURCE>

View solution in original post

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi @k_harini,

When you define multiple monitor stanza with same directory path in inputs.conf, Splunk will consider only one monitor stanza.

In your case you can configure inputs.conf as below

 [monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\prime.*.csv]
 disabled = false
 index = aof_prime_idx
 sourcetype = aof_tm_source
 crcSalt = <SOURCE>

 [monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\Architect.*.csv]
 disabled = false
 index = aof_architect_idx
 sourcetype = aof_tm_source
 crcSalt = <SOURCE>

 [monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\archade.*.csv]
 disabled = false
 index = aof_archade_idx
 sourcetype = aof_tm_source
 crcSalt = <SOURCE>

View solution in original post

0 Karma

k_harini
Communicator

This worked with some slight modifications. Thanks!

0 Karma

zanb
Path Finder

What were your modifications? Please post details of solutions, as "this worked with some slight modifications" helps no one else with the same issue! Thank you!

0 Karma

k_harini
Communicator

Thanks a lot. I will try this now

0 Karma

k_harini
Communicator

This did not work.. none of files got indexed 😞

0 Karma

lloydknight
Builder

Hello @k_harini

May I ask if what are you trying achieve?

try changing the sourcetype name per index.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!