I am trying to monitor a directory.
Suppose that there is a directory named test and it contains initially a log file called access.log.
The access.log file contains following data.
184.108.40.206 - - [07/May/2015:18:22:16] "GET /product.screen?productId=WC-SH-A02&JSESSIONID=SD0SL6FF7ADFF4953 HTTP 1.1" 200 3878 "http://www.google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 349
It is showing that 13,628 events are indexed.
Now i added an another file access1.log in same directory (test). with little with changes in the file. I have replace 220.127.116.11 with 18.104.22.168 and all other contents are same as it is.
But still in search It is showing that 13,628 events .
I have checked that through CLI that both files are listed in monitor directory.
But i am not getting expected results i.e. events should be increased.
Please help me .
No the first line of the document is not exactly same.
I have already mentioned that the first line stated with 22.214.171.124 ... is replaced with 126.96.36.199 and rest of are exactly same.
Ok, sorry but from your post it was not completely clear for me that you changed the first line.
Can you provide the corresponding monitoring stanza from your inputs.conf ?
Have you changed this setting in the default or in the local directory? Can you find your input in the web ui? In the web ui and in the correct app context go to settings -> data inputs -> files and directories. Is your input in this list and displayed as "enabled"?
I have made changes in C:\Program Files\Splunk\etc\apps\search\local\inputs.conf.
i have aslo gone through web ui. I found there status= enabled and no. of file = 1.