Hello Splunkers !!
I have 5 file paths which we are monitoring
D01A01023(Z+01) -- Data is not coming
D01A02023(Z+01) -- Data is coming fine
D01A03023(Z+01) -- Data is not coming
D01A04023(Z+01) -- Data is coming fine
D01A05023(Z+01) -- Data is coming fine
We have data similar files and logs patterns are same for all the files but even after that logs are coming to Splunk only from 3 files not all the files.
In that I have checked inputs.conf, props.conf & transforms.conf all are fine. But Still I am figuring out what more I need to check to troubleshoot this issue.
Check the output from
splunk list monitor
and
splunk list inputstatus
on the splunk component monitoring the files
Please share the inputs.conf stanzas for the 5 file paths.
@richgalloway To add crcSalt = <source> can resolve the issue ?
crcSalt=<SOURCE> can help prevent re-indexing of a file that has been renamed, but won't help with files that aren't indexed at all.
The regex in the whitelist doesn't match the file names in the OP. For starters, none of the file names in with ".log". This regex matches the example names, according to regex101.com
D[0-9]{2}A[0-9]{5}\(Z[+-][0-9]{2}\)
That fits the original regex (I'm assuming "Filelog" in the original is a typo).
Have you checked the logs to see if Splunk is reporting any errors accessing the files?
@richgalloway
[monitor://c:\Filelog\*.log]
whitelist = [\/\\]D[0-9]{2}A[0-9]{5}\(Z(?:\+|\-)[0-9]{2}\).log$
disabled = false
index = abc
sourcetype = abc_logs