Here is the inputs.conf entry:
[batch://opt/splunk/var/run/splunk/csv/*.csv]
disabled = false
move_policy = sinkhole
index = test-metrics
sourcetype = metrics_csv
However, as I monitor /opt/splunk/var/run/splunk/csv/ I see the CSV files are still there, and not getting indexed. This should have been a really simple test, but can't figure out why batch is not working.
If I hardcode a specific CSV file it works:
[batch://opt/splunk/var/run/splunk/csv/test.csv]
disabled = false
move_policy = sinkhole
index = test-metrics
sourcetype = metrics_csv
But obviously I need it to get all the CSV files, so I should be able to use the wildcard *.csv
Wow, what a simple typo that was really hard to see until I took the time and ran:
sudo -u splunk /opt/splunk/bin/splunk list inputstatus
/opt/splunk/var/run/splunk/csv/test.csv
parent = opt/splunk/var/run/splunk/csv/*.csv
type = File did not match whitelist '^opt\/splunk\/var\/run\/splunk\/csv/[^/]*\.csv$'.
That little ^opt at the beginning showed me that I was missing an extra "/" in:
[batch://opt/splunk/var/run/splunk/csv/*.csv]
It should be:
[batch:///opt/splunk/var/run/splunk/csv/*.csv]
So, all good to go.
Wow, what a simple typo that was really hard to see until I took the time and ran:
sudo -u splunk /opt/splunk/bin/splunk list inputstatus
/opt/splunk/var/run/splunk/csv/test.csv
parent = opt/splunk/var/run/splunk/csv/*.csv
type = File did not match whitelist '^opt\/splunk\/var\/run\/splunk\/csv/[^/]*\.csv$'.
That little ^opt at the beginning showed me that I was missing an extra "/" in:
[batch://opt/splunk/var/run/splunk/csv/*.csv]
It should be:
[batch:///opt/splunk/var/run/splunk/csv/*.csv]
So, all good to go.
Hi @dbray_sd
try this
[monitor///opt/splunk/var/run/splunk/csv/*.csv]
if doesn't work and on your path are present only csv you can try this
[monitor///opt/splunk/var/run/splunk/csv/]
I need it to be batch, not monitor.