Solved: windows UF issues

crazyeva · ‎07-07-2014

I installed a windows universal forwarder, to send some txt files to indexer.
those txt files are named with timestamp, say 20140707120100_xx.txt.
i'd like splunk to eat every newly generated txt file, nomatter if in 'default crclength' is the same content.
because a new file maybe just exactly the same with the last one, except a last line...

i found 'crcSalt = *.txt' does not work, and 'initCrcLength' will be too large a number to make effect.
What should i do to force splunk eat files with same and very very long head?

martin_mueller · ‎07-07-2014

You can set this to make Splunk include the filename in the CRC calculation:

crcSalt = <SOURCE>

That's literally <SOURCE>, it'll substitute the filename itself in each case.

View solution in original post

martin_mueller · ‎07-07-2014

You can set this to make Splunk include the filename in the CRC calculation:

crcSalt = <SOURCE>

That's literally <SOURCE>, it'll substitute the filename itself in each case.

crazyeva · ‎07-07-2014

thank you, now at last i understand what '' means!
i am so stupid

windows UF issues

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk