Getting Data In

Why are DAT files not being read with my current monitor configurations?

Path Finder


I have configured an app being pushed from deployment server to a remote Windows host to read DAT files.

Links already referenced:

The configuration looks like this :

 sourcetype = mysourcetype


index = app
sourcetype = mysourcetype

It is weird that all the files in the folder getting read, except for the required DAT files.

Can someone help with the best configurations, please ?

0 Karma

Splunk Employee
Splunk Employee

I'd recommend reading here for best practices on monitor and wildcards :

Your monitors should look more like

sourcetype = mysourcetype

As for the source statement, this would re-sourcetype all dat files, however, Im not sure if your syntax is correct on this. Typically it should look more like


Notice the 4 x "...." + ".dat". Your's doesnt have this, so Im not sure if its going to match correctly.

Out of curiosity, does your ".dat" contain ascii or binary data? Without pre-processing this into ascii / human readable format, it wont be worth indexing.

Path Finder

esix [Splunk] ,

Thanks for your inputs here.

Yes, the DAT file contains ACII value in readable format.


0 Karma
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...