source file name discripency in the logs ?

rakesh_498115 · ‎04-10-2013

Hi ..

I am indexing a file stored in
/bptm_logs/pub/input/PUB_EG3/perfLog_PUB_EG3_57466.txt

as soon as the file is indexed , i am seeing the source path in the search query as

/bptm_logs/pub/input/PUB_EG3/.stats.perfLog_PUB_EG3_57466.txtstatsbptmclar

wat does .stats and .txtstatsbptmclar mean here . Is this expected behaviour ..

query i have used to find the source files is ..

index="main" | dedup source | table source

for those files when i see the data it is something like this
index="main" source=".stats"

sample data for the above query.

64776,163937,33200,1,500,506,0,225550,1365596402,1365596163,1365596163,4096,464,224681,NONE

Actually this data is not present in my file . Can you pls tell from where this data is being indexed or forwarded. is this the bug in forwarder settings ??

Please help.

sowings · ‎04-10-2013

Sounds like it's a temporary file living in the same directory, and Splunk saw it and indexed the contents while it was in flight.

rakesh_498115 · ‎04-12-2013

Thanks Ayn !!

Ayn · ‎04-11-2013

Uh, well blacklisting (or whitelisting) would be exactly the way to tell Splunk not to consider them.

rakesh_498115 · ‎04-11-2013

Yeah sowings..i figured a hidden file in it....can we tell splunk not to consider hidden files or something..without using the blacklist option ??

source file name discripency in the logs ?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...