Getting Data In

Why are DAT files not being read with my current monitor configurations?

Path Finder


I have configured an app being pushed from deployment server to a remote Windows host to read DAT files.

Links already referenced:

The configuration looks like this :

 sourcetype = mysourcetype


index = app
sourcetype = mysourcetype

It is weird that all the files in the folder getting read, except for the required DAT files.

Can someone help with the best configurations, please ?

0 Karma

Splunk Employee
Splunk Employee

I'd recommend reading here for best practices on monitor and wildcards :

Your monitors should look more like

sourcetype = mysourcetype

As for the source statement, this would re-sourcetype all dat files, however, Im not sure if your syntax is correct on this. Typically it should look more like


Notice the 4 x "...." + ".dat". Your's doesnt have this, so Im not sure if its going to match correctly.

Out of curiosity, does your ".dat" contain ascii or binary data? Without pre-processing this into ascii / human readable format, it wont be worth indexing.

Path Finder

esix [Splunk] ,

Thanks for your inputs here.

Yes, the DAT file contains ACII value in readable format.


0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!