I am indexing SSRS logs. The path to the logs is:
C:\Program Files\MSRS12.MSSQLSERVER\Reporting Services\LogFiles. The forwarder sends and the indexer receives but it is only indexing the first log file in the directory. For example, we added a new server that has SSRS logs. I put a monitor in inputs.conf for the path to the log files. In that directory it has logs dating from 5/5/2015 - 5/21/2015. I go to our Splunk instance and do a simple search for index=ssrs and it populates data but the most recent date is 5/5/2015. None of the other log files have been indexed. Any suggestions?
Are the first 256 bytes of each file the same? (Offhand I think it's 256 bytes for the hashing that the forwarder does) a possibility is that could the forwarder be thinking these are rolls of the same file and therefore not indexing any beyond the first (if this is the problem you would solve this with crcSalt=<SOURCE> in inputs.conf on the forwarder (double check exact syntax here, I'm on my phone)
Yes, there is a header at the beginning of each log file that has the same information. I will add it to inputs.conf and give it a shot. Thank you!
Seems to be working fine now. That addition to inputs.conf did the trick. Thank you very much sir!
Excellent! (Converted to an answer so it can be marked as accepted)