Solved: Why is Splunk failing to index files I have config... - Splunk Community

Getting Data In

Hi All,

I'm running a Windows Splunk to monitor this log file stored in this directory H:\apps\apps1-xxx.csv where xxx is in date format.
My inputs.conf contains this stanza:

[monitor://H:\apps]
disabled = false
sourcetype = OHWM
index = ohwm
whitelist = apps1.*\.csv$
crcSalt = apps1.*\.csv$
ignoreOlderThan = 7d

So far Splunk failed to index those files with dates after creation of input. Does anyone what is wrong with this?

Thanks and appreciate for any help!

1 Solution

Solution

Give this a try. Need to restart Splunkd service on the server where you have this inputs.conf.

[monitor://H:\apps\apps1*.csv]
 disabled = false
 sourcetype = OHWM
 index = ohwm
 crcSalt = <SOURCE>
 ignoreOlderThan = 7d

View solution in original post

Solution

Give this a try. Need to restart Splunkd service on the server where you have this inputs.conf.

[monitor://H:\apps\apps1*.csv]
 disabled = false
 sourcetype = OHWM
 index = ohwm
 crcSalt = <SOURCE>
 ignoreOlderThan = 7d

didn't work..

Are all the files have modified date within 7 days (since you're using ignoreOlderThan attribute)? Can you open Command Prompt and run this command to check if you see those files in the output
(check Splunk install directory)

cmd> "c:\program files\Splunk\bin\splunk.exe" list monitor

somehow it got working after a pc restart

Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...