Solved: Re: Sourcefile name changes at index time - interm...

timrich66 · ‎08-12-2020

Hi All,

I am currently ingesting plain text files with a filename format as follows -

4d618da0-48f0-430d-9c9f-10c6e5ba6971_Batch1_20200810.5415.finish

Each day a new files are created with the day's date and a sequential number before the .finish

e.g. 4d618da0-48f0-430d-9c9f-10c6e5ba6971_Batch1_yyyymmdd.nnnn.finish

When the files are ingested, the source name extension is (intermittently) changed from ending 'nnnn.finsh' to '.xml'

e.g. 4d618da0-48f0-430d-9c9f-10c6e5ba6971_Batch1_20200810.xml

We are running a distributed environment with 4 indexers. This trait is being seen across all indexers and on files being ingested from different servers.

As I rely on checking for '.finish' in the source, is there a way of setting props or transforms to stop the file extension being changed?

I hope this makes some sense. Thanks in advance for assistance.

timrich66 · ‎08-18-2020

I appear to have fixed this.

I have changed the monitor path to read "*.*.finish" and the source name has remained unchanged since.

View solution in original post

timrich66 · ‎08-18-2020

I appear to have fixed this.

I have changed the monitor path to read "*.*.finish" and the source name has remained unchanged since.

Sourcefile name changes at index time - intermittently

index

source

XML

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies