Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is a text file with only one number not continuously read in Splunk 6.4.1 with my current inputs.conf?

mhornste
Path Finder
‎06-30-2016 12:45 AM

Hi,

I have set up batch files to count the number of documents in a folder. Splunk is running this batch file successfully every 60 seconds (this is working since I see it from the timestamp of the text files).

I have set it up as follows in my app's inputs.conf:

[monitor://D:\OT System Monitoring\countLivelinkToAdlib.txt]
disabled = false
index = otcs
interval = 60
sourcetype = OtcsAdlibCountsLivelinkAdlib
host = bbmag88
followTail = 0
initCrcLength = 512

[script://$SPLUNK_HOME\bin\scripts\countLivelinkToAdlib.bat]
disabled = false
interval = 60

When I check my index/ sourcetype, I can see that the data is not coming in continuously (sometimes it is coming in, sometimes not). Since I have configured my panel to refresh every 60 seconds and only check for the value of the last 60 seconds, my panels sometimes do not show any data.

I have some log entries in my splunkd.log 

06-30-2016 08:59:59.278 +0200 INFO  WatchedFile - Checksum for seekptr didn't match, will re-read entire file='D:\OT System Monitoring\counteSignToLES.txt'.
06-30-2016 08:59:59.278 +0200 INFO  WatchedFile - Will begin reading at offset=0 for file='D:\OT System Monitoring\counteSignToLES.txt'.

I guess that Splunk thinks that there is no change in the file (since sometimes the count is 0 for some time or the same value for some time).

Is there a way to fix this? I have already tried followTail and initCrCLength (see above).

Any ideas?

Thanks!

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎06-30-2016 02:16 AM

You can try to make it like this:

  1. your batch creates a file named with the time stamp instead of writing in the same file
  2. instead of using monitor you can use the batch:// stanza (which deletes the file after indexing)
  3. monitor (using batch) the folder where the files are created instead of monitoring a single file
  4. add crcSalt = <SOURCE> in the batch stanza

this way your batch creates a new file every time and the file named is also used for crc check, so its always different and is always index even if the value inside doesn't change.

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...