SPLUNK could't parse all files in same directrory

Amirahussein · ‎01-13-2020

please need your support as SPLUNK didn't parse all files from same path, i.e for example in my inputs.conf there are 2 stanza to monitor two paths. each path has around 1250 files, so i should find around 2500 files when searching for files.
i updated inputs.conf with (crcSalt = ** and **initCrcLength = 2000) and nothing occurred

i found only the exact number of files after restarting SPLUNK service, so is it a mandatory to restart splunk every time i got the files to be parsed ?!!!

[monitor:///home/Path1/.xml]
disabled = 0
host_segment = 4
index = index1
sourcetype = sourcetype1
recursive = true
**crcSalt =
initCrcLength = 2000*

JohnGilmour · ‎01-13-2020

There are plenty of documents on the Splunk base that will go into details, take a look at the ignoreOlderThan data stanza.

In answer to the question about restarting splunk, you don't need to do a full system restart. Just the below command

./splunk _internal call /services/data/inputs/monitor/_reload -auth

SPLUNK could't parse all files in same directrory

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

SPLUNK could't parse all files in same directrory

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem