Installation
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk config help to completely reindex a file

NAVEEN_CTS
Path Finder
‎06-04-2019 06:07 AM

Im my case , i want a file to be completely reindex irrespective of the changes made at the first, middle or at the bottom of the file.

When changes are made at bottom of the file , like adding 2 lines at the bottom , i want splunk to consider it as a new file and reindex the the complete file instead of adding only 2 lines to the index

Here the file name will not be changed, only data inside the file will be updated.

I have tried crcSalt = < SOURCE> in my inputs.conf , but it didnt work

is there any way to make splunk to reindex the file again?

0 Karma
Reply

alemarzu
Motivator
‎06-04-2019 06:50 AM

Hello there @NAVEEN_CTS

Have u try this?

[sourcetype]
 CHECK_METHOD = entire_md5
...
0 Karma
Reply

NAVEEN_CTS
Path Finder
‎06-04-2019 07:06 AM

Where should i add this? inputs.conf or props.conf ?

Currently my set up is like UF --> HF--> IDX

I do some extraction at HF using the sourcetype.

0 Karma
Reply

alemarzu
Motivator
‎06-04-2019 07:35 AM

props.conf in the UF

0 Karma
Reply

NAVEEN_CTS
Path Finder
‎06-04-2019 09:56 AM

@alemarzu It didnt help as well....same result

0 Karma
Reply

alemarzu
Motivator
‎06-04-2019 10:58 AM

I see, u should probably have to apply that settings over your source rather than sourcetype.
[source::PATH_FILE]
CHECK_METHOD = entire_md5

0 Karma
Reply

NAVEEN_CTS
Path Finder
‎06-10-2019 05:23 AM

Hi @alemarzu , Still it didn't work

My config is as below, only new changes are getting indexed , entire file is not getting re-indexed again

My inputs.conf
[monitor:///apps/input/local/app_name/filename.txt]
index = test
sourcetype = test

My Props.conf
[source::///apps/input/local/app_name/filename.txt]
CHECK_METHOD = entire_md5

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...