Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Mulitiple Files in the same directory

bandit
Motivator
‎10-10-2013 03:27 PM

I've seen the documentation and believe there is a way to dynamically do this with props.conf but I'm not understanding how to do it. I my case I'm working with 15 different source types with different file names, but at the same nested directory level.

Only one works at a time, but if both are enabled, only the last one works. Both stanzas below are similar but one has disktool.txt and one has diskview.txt.

inputs.conf
[monitor://\\host.share.comUploadDatasupportdata_Customers...*.disktool.txt] crcSalt = <source> index = eql_disktool sourcetype = disktool

[monitor://\\host.share.comUploadDatasupportdata_Customers...*.diskview.txt] crcSalt = <source> index = eql_diskview sourcetype = diskview

Thanks,

Rob

Reply

dwaddle
SplunkTrust
SplunkTrust
‎10-14-2013 06:31 AM

I would recommend an approach similar to this:

(inputs.conf on the forwarder)

[monitor://\\host.share.comUploadDatasupportdata_Customers]
whitelist = disk(view|tool)\.txt$

(props.conf on the forwarder & indexer)

[source::...diskview.txt]
sourcetype=diskview

[source:...disktool.txt]
sourcetype=disktool

[diskview]
TRANSFORMS-index = diskview-index

[disktool]
TRASNFORMS-index = disktool-index

(transforms.conf on the indexer)

[diskview-index]
DEST_KEY=_MetaData:Index
REGEX = .
FORMAT = diskview

[disktool-index]
DEST_KEY=_MetaData:Index
REGEX = .
FORMAT = disktool

This avoids have overlapping (or nearly overlapping) monitor stanzas, and sets the sourcetype of each file by name. Once the sourcetype is set, it uses index-time transforms to move the data into the correct indexes.

Reply

lguinn2
Legend
‎10-14-2013 01:51 AM

Wow - a million files is definitely a performance problem. Are all the files "live" or are some of them stale? Check out some of the inputs.conf settngs - or better yet, move stale files to another directory after some appropriate time lapse (like a week).

0 Karma
Reply

bandit
Motivator
‎10-11-2013 02:56 PM

I'm now thinking this may be just a performance issue since a single indexer is trying to ingest more than a million files. It may be just working through one rule at a time. That would make sense why each rule works individually.

0 Karma
Reply

bandit
Motivator
‎10-10-2013 06:44 PM

Thanks, will let you know

0 Karma
Reply

lukejadamec
Super Champion
‎10-10-2013 06:43 PM

Try it without the crcsalt, and see if you get my results. I have not used that yet, because it is bad juju.

0 Karma
Reply

bandit
Motivator
‎10-10-2013 06:37 PM

For me, I get the same behavior on my local laptop with no share. Doesn't seem to like the combination of wilcard ... and a similar path. If I disable the last source, the next to last source starting indexing events 🙂

0 Karma
Reply

lukejadamec
Super Champion
‎10-10-2013 05:50 PM

There is definitely something wrong with shares. I cannot get this to break on local drives. I'll test it on shares tomorrow.

0 Karma
Reply

bandit
Motivator
‎10-10-2013 04:39 PM

alt text

Rule works as long as you only have one monitor stanza active otherwise it seems to conflict with others.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...