Hi ..
I am indexing a file stored in
/bptm_logs/pub/input/PUB_EG3/perfLog_PUB_EG3_57466.txt
as soon as the file is indexed , i am seeing the source path in the search query as
/bptm_logs/pub/input/PUB_EG3/.stats.perfLog_PUB_EG3_57466.txtstatsbptmclar
wat does .stats and .txtstatsbptmclar mean here . Is this expected behaviour ..
query i have used to find the source files is ..
index="main" | dedup source | table source
for those files when i see the data it is something like this
index="main" source=".stats"
sample data for the above query.
64776,163937,33200,1,500,506,0,225550,1365596402,1365596163,1365596163,4096,464,224681,NONE
Actually this data is not present in my file . Can you pls tell from where this data is being indexed or forwarded. is this the bug in forwarder settings ??
Please help.
Sounds like it's a temporary file living in the same directory, and Splunk saw it and indexed the contents while it was in flight.
Thanks Ayn !!
Uh, well blacklisting (or whitelisting) would be exactly the way to tell Splunk not to consider them.
Yeah sowings..i figured a hidden file in it....can we tell splunk not to consider hidden files or something..without using the blacklist option ??