Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk config help to completely reindex a file

NAVEEN_CTS
Path Finder
‎06-04-2019 06:07 AM

Im my case , i want a file to be completely reindex irrespective of the changes made at the first, middle or at the bottom of the file.

When changes are made at bottom of the file , like adding 2 lines at the bottom , i want splunk to consider it as a new file and reindex the the complete file instead of adding only 2 lines to the index

Here the file name will not be changed, only data inside the file will be updated.

I have tried crcSalt = < SOURCE> in my inputs.conf , but it didnt work

is there any way to make splunk to reindex the file again?

0 Karma
Reply

alemarzu
Motivator
‎06-04-2019 06:50 AM

Hello there @NAVEEN_CTS

Have u try this?

[sourcetype]
 CHECK_METHOD = entire_md5
...
0 Karma
Reply

NAVEEN_CTS
Path Finder
‎06-04-2019 07:06 AM

Where should i add this? inputs.conf or props.conf ?

Currently my set up is like UF --> HF--> IDX

I do some extraction at HF using the sourcetype.

0 Karma
Reply

alemarzu
Motivator
‎06-04-2019 07:35 AM

props.conf in the UF

0 Karma
Reply

NAVEEN_CTS
Path Finder
‎06-04-2019 09:56 AM

@alemarzu It didnt help as well....same result

0 Karma
Reply

alemarzu
Motivator
‎06-04-2019 10:58 AM

I see, u should probably have to apply that settings over your source rather than sourcetype.
[source::PATH_FILE]
CHECK_METHOD = entire_md5

0 Karma
Reply

NAVEEN_CTS
Path Finder
‎06-10-2019 05:23 AM

Hi @alemarzu , Still it didn't work

My config is as below, only new changes are getting indexed , entire file is not getting re-indexed again

My inputs.conf
[monitor:///apps/input/local/app_name/filename.txt]
index = test
sourcetype = test

My Props.conf
[source::///apps/input/local/app_name/filename.txt]
CHECK_METHOD = entire_md5

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...