Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is a text file with only one number not continuously read in Splunk 6.4.1 with my current inputs.conf?

mhornste
Path Finder
‎06-30-2016 12:45 AM

Hi,

I have set up batch files to count the number of documents in a folder. Splunk is running this batch file successfully every 60 seconds (this is working since I see it from the timestamp of the text files).

I have set it up as follows in my app's inputs.conf:

[monitor://D:\OT System Monitoring\countLivelinkToAdlib.txt]
disabled = false
index = otcs
interval = 60
sourcetype = OtcsAdlibCountsLivelinkAdlib
host = bbmag88
followTail = 0
initCrcLength = 512

[script://$SPLUNK_HOME\bin\scripts\countLivelinkToAdlib.bat]
disabled = false
interval = 60

When I check my index/ sourcetype, I can see that the data is not coming in continuously (sometimes it is coming in, sometimes not). Since I have configured my panel to refresh every 60 seconds and only check for the value of the last 60 seconds, my panels sometimes do not show any data.

I have some log entries in my splunkd.log 

06-30-2016 08:59:59.278 +0200 INFO  WatchedFile - Checksum for seekptr didn't match, will re-read entire file='D:\OT System Monitoring\counteSignToLES.txt'.
06-30-2016 08:59:59.278 +0200 INFO  WatchedFile - Will begin reading at offset=0 for file='D:\OT System Monitoring\counteSignToLES.txt'.

I guess that Splunk thinks that there is no change in the file (since sometimes the count is 0 for some time or the same value for some time).

Is there a way to fix this? I have already tried followTail and initCrCLength (see above).

Any ideas?

Thanks!

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎06-30-2016 02:16 AM

You can try to make it like this:

  1. your batch creates a file named with the time stamp instead of writing in the same file
  2. instead of using monitor you can use the batch:// stanza (which deletes the file after indexing)
  3. monitor (using batch) the folder where the files are created instead of monitoring a single file
  4. add crcSalt = <SOURCE> in the batch stanza

this way your batch creates a new file every time and the file named is also used for crc check, so its always different and is always index even if the value inside doesn't change.

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...