Getting Data In

Why are DAT files not being read with my current monitor configurations?

Path Finder


I have configured an app being pushed from deployment server to a remote Windows host to read DAT files.

Links already referenced:

The configuration looks like this :

 sourcetype = mysourcetype


index = app
sourcetype = mysourcetype

It is weird that all the files in the folder getting read, except for the required DAT files.

Can someone help with the best configurations, please ?

0 Karma

Splunk Employee
Splunk Employee

I'd recommend reading here for best practices on monitor and wildcards :

Your monitors should look more like

sourcetype = mysourcetype

As for the source statement, this would re-sourcetype all dat files, however, Im not sure if your syntax is correct on this. Typically it should look more like


Notice the 4 x "...." + ".dat". Your's doesnt have this, so Im not sure if its going to match correctly.

Out of curiosity, does your ".dat" contain ascii or binary data? Without pre-processing this into ascii / human readable format, it wont be worth indexing.

Path Finder

esix [Splunk] ,

Thanks for your inputs here.

Yes, the DAT file contains ACII value in readable format.


0 Karma
Get Updates on the Splunk Community!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Starting With Observability: OpenTelemetry Best Practices

Tech Talk Starting With Observability: OpenTelemetry Best Practices Tuesday, October 17, 2023   |  11AM PST / ...

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW! Every day the list of sources Admins are responsible for gets bigger and bigger, often making ...