Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk not indexing text file

osasfrancis
Path Finder
‎04-05-2021 12:53 PM

Hi all, i have a simple splunk app that monitors a folder and indexes a text file that is overwritten every hour. It works fine. Then all of a sudden, it just stops indexing, even as new files are created. Below are my configs. Any suggestion is appreciated

inputs.conf

[monitor://E:\Splunk\ccure\AllSites\*.txt]
sourcetype = ccure:allsite:csv
index = security
disabled = false

[monitor://E:\Splunk\ccure\Forced_Held\*.txt]
sourcetype = ccure:door_csv
index = security
disabled = false

props.conf
[ccure:allsite:csv]
SHOULD_LINEMERGE=false
NO_BINARY_CHECK=true
CHARSET=UTF-8
INDEXED_EXTRACTIONS=csv
KV_MODE=none
category=Structured
disabled=false
pulldown_type=true
CHECK_METHOD=modtime 

[ccure:door_csv]
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
CHARSET=UTF-8
LINE_BREAKER=([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD=180
disabled=false
CHECK_METHOD=modtime
SEDCMD-crop_extra_line=s/(?!match)Door Forced Report - InfoSec(?!match)($|([\r\n]+))//g
TRANSFORMS-set=setnull

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-05-2021 11:48 PM

Hi @osasfrancis,

when did indexing stop?
if it happened from the 1st of the month, you should check the date format, because if it is in European format (dd / mm / yyyy) and you have not defined the TIME_FORMAT, Splunk interprets it with the American format (mm / dd / yyyy) .
The problem will be solved automatically from the 13th until the end of the month because there will be no more ambiguity.

Ciao.

Giuseppe

Reply

osasfrancis
Path Finder
‎04-06-2021 10:30 AM

Hi,

Thanks for your response. It stopped indexing 4/3/2021. And since then, the text file has been overwritten every hour with new contents, but for some reason, it is just not picking up the updated file. Also, the program creating the text file does not have the ability to give the file a new name everytime it generates it.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

  Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...