Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is Splunk failing to index files I have configured in inputs.conf?

wiznil
New Member
‎04-14-2017 11:39 AM

Hi All,

I'm running a Windows Splunk to monitor this log file stored in this directory H:\apps\apps1-xxx.csv where xxx is in date format.
My inputs.conf contains this stanza:

[monitor://H:\apps]
disabled = false
sourcetype = OHWM
index = ohwm
whitelist = apps1.*\.csv$
crcSalt = apps1.*\.csv$
ignoreOlderThan = 7d

So far Splunk failed to index those files with dates after creation of input. Does anyone what is wrong with this?

Thanks and appreciate for any help!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-14-2017 12:14 PM

Give this a try. Need to restart Splunkd service on the server where you have this inputs.conf.

[monitor://H:\apps\apps1*.csv]
 disabled = false
 sourcetype = OHWM
 index = ohwm
 crcSalt = <SOURCE>
 ignoreOlderThan = 7d

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-14-2017 12:14 PM

Give this a try. Need to restart Splunkd service on the server where you have this inputs.conf.

[monitor://H:\apps\apps1*.csv]
 disabled = false
 sourcetype = OHWM
 index = ohwm
 crcSalt = <SOURCE>
 ignoreOlderThan = 7d
0 Karma
Reply
Solved! Jump to solution

wiznil
New Member
‎04-14-2017 12:24 PM

didn't work..

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-14-2017 12:38 PM

Are all the files have modified date within 7 days (since you're using ignoreOlderThan attribute)? Can you open Command Prompt and run this command to check if you see those files in the output
(check Splunk install directory)

cmd> "c:\program files\Splunk\bin\splunk.exe" list monitor
0 Karma
Reply
Solved! Jump to solution

wiznil
New Member
‎04-15-2017 09:04 AM

somehow it got working after a pc restart

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...