Getting Data In

Send data from file even if there is no change

shreyasathavale
Communicator

I have a file in a directory, whose timestamp is changed everyday using "touch" command. The contents might change after 3 months but not daily.
I need to monitor this file in splunk and read the contents even if they are same.

Tags (1)
0 Karma
1 Solution

manjunathmeti
Champion

In props.conf set CHECK_METHOD = modtime for the source to check the modification time of the file.

props.conf

 [source::<file_path>]
 CHECK_METHOD = modtime

View solution in original post

0 Karma

manjunathmeti
Champion

In props.conf set CHECK_METHOD = modtime for the source to check the modification time of the file.

props.conf

 [source::<file_path>]
 CHECK_METHOD = modtime
0 Karma

shreyasathavale
Communicator

I tried this but somehow it is not working

0 Karma

manjunathmeti
Champion

can you post inputs.conf and props.conf for this source?

0 Karma

shreyasathavale
Communicator

Hi, these are the conf files
Inputs.conf is:
[monitor://D:\splunk\abc.csv]
disabled = false
index = main
sourcetype = abccsv

Props.conf:
[labccsv]
BREAK_ONLY_BEFORE = \d\d?:\d\d:\d\d
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Application
description = Output produced by any Java 2 Enterprise Edition (J2EE) application server using log4j
disabled = false
maxDist = 75
pulldown_type = true
CHECK_METHOD = modtime

0 Karma

manjunathmeti
Champion

CHECK_METHOD = modtime must be set for [source:] stanza only not sourcetype.

Add this to props.conf.

[source::D:\splunk\abc.csv]
CHECK_METHOD = modtime
0 Karma

shreyasathavale
Communicator

That did the trick !!! Thanks!!

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...