Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is a text file with only one number not continuously read in Splunk 6.4.1 with my current inputs.conf?

mhornste
Path Finder
‎06-30-2016 12:45 AM

Hi,

I have set up batch files to count the number of documents in a folder. Splunk is running this batch file successfully every 60 seconds (this is working since I see it from the timestamp of the text files).

I have set it up as follows in my app's inputs.conf:

[monitor://D:\OT System Monitoring\countLivelinkToAdlib.txt]
disabled = false
index = otcs
interval = 60
sourcetype = OtcsAdlibCountsLivelinkAdlib
host = bbmag88
followTail = 0
initCrcLength = 512

[script://$SPLUNK_HOME\bin\scripts\countLivelinkToAdlib.bat]
disabled = false
interval = 60

When I check my index/ sourcetype, I can see that the data is not coming in continuously (sometimes it is coming in, sometimes not). Since I have configured my panel to refresh every 60 seconds and only check for the value of the last 60 seconds, my panels sometimes do not show any data.

I have some log entries in my splunkd.log 

06-30-2016 08:59:59.278 +0200 INFO  WatchedFile - Checksum for seekptr didn't match, will re-read entire file='D:\OT System Monitoring\counteSignToLES.txt'.
06-30-2016 08:59:59.278 +0200 INFO  WatchedFile - Will begin reading at offset=0 for file='D:\OT System Monitoring\counteSignToLES.txt'.

I guess that Splunk thinks that there is no change in the file (since sometimes the count is 0 for some time or the same value for some time).

Is there a way to fix this? I have already tried followTail and initCrCLength (see above).

Any ideas?

Thanks!

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎06-30-2016 02:16 AM

You can try to make it like this:

  1. your batch creates a file named with the time stamp instead of writing in the same file
  2. instead of using monitor you can use the batch:// stanza (which deletes the file after indexing)
  3. monitor (using batch) the folder where the files are created instead of monitoring a single file
  4. add crcSalt = <SOURCE> in the batch stanza

this way your batch creates a new file every time and the file named is also used for crc check, so its always different and is always index even if the value inside doesn't change.

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out &gt;&gt; As our brave ...