Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Monitor a directory for new files

adityaanand
Explorer
‎05-18-2015 05:11 AM

Hi,
I am trying to monitor a directory.
Suppose that there is a directory named test and it contains initially a log file called access.log.
The access.log file contains following data.
210.160.24.63 - - [07/May/2015:18:22:16] "GET /product.screen?productId=WC-SH-A02&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 3878 "http://www.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 349
.....
.....
It is showing that 13,628 events are indexed.

Now i added an another file access1.log in same directory (test). with little with changes in the file. I have replace 210.160.24.63 with 190.160.24.63 and all other contents are same as it is.

But still in search It is showing that 13,628 events .

I have checked that through CLI that both files are listed in monitor directory.

But i am not getting expected results i.e. events should be increased.

Please help me .

0 Karma
Reply

kheli
Path Finder
‎05-18-2015 06:41 AM

add crcSalt = under your monitor stanza

0 Karma
Reply

tom_frotscher
Builder
‎05-18-2015 05:18 AM

Are the first few lines of the documents exactly the same? Or did the change of the ip influence the also the first few lines of the document?

0 Karma
Reply

adityaanand
Explorer
‎05-18-2015 05:22 AM

No the first line of the document is not exactly same.
I have already mentioned that the first line stated with 210.160.24.63 ... is replaced with 190.160.24.63 and rest of are exactly same.

0 Karma
Reply

tom_frotscher
Builder
‎05-18-2015 05:27 AM

Ok, sorry but from your post it was not completely clear for me that you changed the first line.

Can you provide the corresponding monitoring stanza from your inputs.conf ?

0 Karma
Reply

adityaanand
Explorer
‎05-18-2015 05:35 AM

[monitor://D:/\Splunk Data/\Testing]
disabled = true
index = splunk_test

0 Karma
Reply

tom_frotscher
Builder
‎05-18-2015 05:36 AM

Your input is disabled, change to disabled = false.

0 Karma
Reply

adityaanand
Explorer
‎05-18-2015 05:42 AM

I have changed to disabled = false.
Still i am getting same result.

0 Karma
Reply

tom_frotscher
Builder
‎05-18-2015 05:50 AM

Have you changed this setting in the default or in the local directory? Can you find your input in the web ui? In the web ui and in the correct app context go to settings -> data inputs -> files and directories. Is your input in this list and displayed as "enabled"?

0 Karma
Reply

adityaanand
Explorer
‎05-18-2015 05:58 AM

I have made changes in C:\Program Files\Splunk\etc\apps\search\local\inputs.conf.
i have aslo gone through web ui. I found there status= enabled and no. of file = 1.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...