Solved: Why is Splunk failing to index files I have config... - Splunk Community

Getting Data In

Hi All,

I'm running a Windows Splunk to monitor this log file stored in this directory H:\apps\apps1-xxx.csv where xxx is in date format.
My inputs.conf contains this stanza:

[monitor://H:\apps]
disabled = false
sourcetype = OHWM
index = ohwm
whitelist = apps1.*\.csv$
crcSalt = apps1.*\.csv$
ignoreOlderThan = 7d

So far Splunk failed to index those files with dates after creation of input. Does anyone what is wrong with this?

Thanks and appreciate for any help!

1 Solution

Solution

Give this a try. Need to restart Splunkd service on the server where you have this inputs.conf.

[monitor://H:\apps\apps1*.csv]
 disabled = false
 sourcetype = OHWM
 index = ohwm
 crcSalt = <SOURCE>
 ignoreOlderThan = 7d

View solution in original post

Solution

Give this a try. Need to restart Splunkd service on the server where you have this inputs.conf.

[monitor://H:\apps\apps1*.csv]
 disabled = false
 sourcetype = OHWM
 index = ohwm
 crcSalt = <SOURCE>
 ignoreOlderThan = 7d

didn't work..

Are all the files have modified date within 7 days (since you're using ignoreOlderThan attribute)? Can you open Command Prompt and run this command to check if you see those files in the output
(check Splunk install directory)

cmd> "c:\program files\Splunk\bin\splunk.exe" list monitor

somehow it got working after a pc restart

Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...