Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Send data from file even if there is no change
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
shreyasathavale
Communicator
02-24-2020
01:09 AM
I have a file in a directory, whose timestamp is changed everyday using "touch" command. The contents might change after 3 months but not daily.
I need to monitor this file in splunk and read the contents even if they are same.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
02-24-2020
03:22 AM
In props.conf set CHECK_METHOD = modtime for the source to check the modification time of the file.
props.conf
[source::<file_path>]
CHECK_METHOD = modtime
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
02-24-2020
03:22 AM
In props.conf set CHECK_METHOD = modtime for the source to check the modification time of the file.
props.conf
[source::<file_path>]
CHECK_METHOD = modtime
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
shreyasathavale
Communicator
02-24-2020
04:50 AM
I tried this but somehow it is not working
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
02-24-2020
05:43 AM
can you post inputs.conf and props.conf for this source?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
shreyasathavale
Communicator
02-24-2020
05:51 AM
Hi, these are the conf files
Inputs.conf is:
[monitor://D:\splunk\abc.csv]
disabled = false
index = main
sourcetype = abccsv
Props.conf:
[labccsv]
BREAK_ONLY_BEFORE = \d\d?:\d\d:\d\d
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Application
description = Output produced by any Java 2 Enterprise Edition (J2EE) application server using log4j
disabled = false
maxDist = 75
pulldown_type = true
CHECK_METHOD = modtime
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
02-24-2020
05:56 AM
CHECK_METHOD = modtime must be set for [source:] stanza only not sourcetype.
Add this to props.conf.
[source::D:\splunk\abc.csv]
CHECK_METHOD = modtime
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
shreyasathavale
Communicator
02-24-2020
06:53 AM
That did the trick !!! Thanks!!
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
