Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk not indexing text file

osasfrancis
Path Finder
‎04-05-2021 12:53 PM

Hi all, i have a simple splunk app that monitors a folder and indexes a text file that is overwritten every hour. It works fine. Then all of a sudden, it just stops indexing, even as new files are created. Below are my configs. Any suggestion is appreciated

inputs.conf

[monitor://E:\Splunk\ccure\AllSites\*.txt]
sourcetype = ccure:allsite:csv
index = security
disabled = false

[monitor://E:\Splunk\ccure\Forced_Held\*.txt]
sourcetype = ccure:door_csv
index = security
disabled = false

props.conf
[ccure:allsite:csv]
SHOULD_LINEMERGE=false
NO_BINARY_CHECK=true
CHARSET=UTF-8
INDEXED_EXTRACTIONS=csv
KV_MODE=none
category=Structured
disabled=false
pulldown_type=true
CHECK_METHOD=modtime 

[ccure:door_csv]
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
CHARSET=UTF-8
LINE_BREAKER=([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD=180
disabled=false
CHECK_METHOD=modtime
SEDCMD-crop_extra_line=s/(?!match)Door Forced Report - InfoSec(?!match)($|([\r\n]+))//g
TRANSFORMS-set=setnull

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-05-2021 11:48 PM

Hi @osasfrancis,

when did indexing stop?
if it happened from the 1st of the month, you should check the date format, because if it is in European format (dd / mm / yyyy) and you have not defined the TIME_FORMAT, Splunk interprets it with the American format (mm / dd / yyyy) .
The problem will be solved automatically from the 13th until the end of the month because there will be no more ambiguity.

Ciao.

Giuseppe

Reply

osasfrancis
Path Finder
‎04-06-2021 10:30 AM

Hi,

Thanks for your response. It stopped indexing 4/3/2021. And since then, the text file has been overwritten every hour with new contents, but for some reason, it is just not picking up the updated file. Also, the program creating the text file does not have the ability to give the file a new name everytime it generates it.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...