Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why am I losing data during transmission to Splunk

igor04653
Loves-to-Learn Everything
‎05-15-2022 10:45 PM

Hello. Community help please. I can't figure out the problem with the data transfer to splunk. I have an index and data sources from servers. The problem is that some of the data is lost during transfers. There are files on the server that are updated with a new name after a certain time. For example there are files N2-1.out01324, N2-1.out01325 they are searchable and Splunk can see them. But then files are updated with new name for example N2-1.out01326, N2-1.out01327 and these files are not available Splunk can't see them. Then the list is updated and files N2-1.out01328-1329 are visible again

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-15-2022 11:27 PM

Hi @igor04653,

as @PickleRick said, Splunk doesn't index a content twice even if the file has a different name, but the same content.

If you want to index all files, also duplicating logs, you should use 

crcSal = <SOURCE>

in this way Splunk index all files with a different filename even if they have the same content.

Ciao.

Giuseppe

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-15-2022 11:04 PM

It's not clear what you're talking about. If the file is called file1.log and is ingested into splunk, events from that file will have their source field set to,file1.log and it will never change no matter what you do with the file on the source server. If you later rename the file on the source computer, splunk will still know it's the same file (unless you configure it to include source filename in crc calculation) and will not re-read it again.

It's not clear what you're doing and what you're expecting.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...