Some files are not being indexed

cchange · ‎10-25-2017

Hi,

I configured inputs.conf to monitor a directory. All the files in the directory were not ingested to Splunk. Some XML files are being missed. I don't see any errors in the _internal logs. Can you please let me know if I'm missing any property in my configuration file?

my sample inputs.conf

index=test
sourcetype=test

cchange · ‎11-12-2017

I added crcSalt = and missing files were ingested successfully.

kannu · ‎10-27-2017

check your splunkd log in splunkhome/var/log/splunk/
for example
if you are looking file abc.txt then
cat splunkd.log | grep -i "abc.txt"

you will get the error message if not you will see the following entry [addingwatcher] that means file has been watched you will soon see the file contents on your search head

gcusello · ‎10-25-2017

Hi cchange,
could you share your inputs.conf and the pathnames of your target files?
Bye.
Giuseppe

cchange · ‎10-26-2017

Hello.

It look like this.

monitor:\\directory
index=test
sourcetype=test1
disabled=0

gcusello · ‎10-27-2017

Hi cchange,
there are some errors, you should have esomething like this:

[monitor://C:\directory\myfile.txt]
index=test
sourcetype=test1
disabled=0

remember that the first two slashes are fixed, in unix you have another one slash, instead in Windows you have the full path (with drive) of the files to monitor; you can also use *.
For more information see http://docs.splunk.com/Documentation/Splunk/latest/Data/Getstartedwithgettingdatain .
Bye.
Giuseppe

Some files are not being indexed

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

There's No Place Like Chrome and the Splunk Platform

Customer Experience | Join the Customer Advisory Board!