Installation

Splunk config help to completely reindex a file

NAVEEN_CTS
Path Finder

Im my case , i want a file to be completely reindex irrespective of the changes made at the first, middle or at the bottom of the file.

When changes are made at bottom of the file , like adding 2 lines at the bottom , i want splunk to consider it as a new file and reindex the the complete file instead of adding only 2 lines to the index

Here the file name will not be changed, only data inside the file will be updated.

I have tried crcSalt = < SOURCE> in my inputs.conf , but it didnt work

is there any way to make splunk to reindex the file again?

0 Karma

alemarzu
Motivator

Hello there @NAVEEN_CTS

Have u try this?

[sourcetype]
 CHECK_METHOD = entire_md5
...
0 Karma

NAVEEN_CTS
Path Finder

Where should i add this? inputs.conf or props.conf ?

Currently my set up is like UF --> HF--> IDX

I do some extraction at HF using the sourcetype.

0 Karma

alemarzu
Motivator

props.conf in the UF

0 Karma

NAVEEN_CTS
Path Finder

@alemarzu It didnt help as well....same result

0 Karma

alemarzu
Motivator

I see, u should probably have to apply that settings over your source rather than sourcetype.
[source::PATH_FILE]
CHECK_METHOD = entire_md5

0 Karma

NAVEEN_CTS
Path Finder

Hi @alemarzu , Still it didn't work

My config is as below, only new changes are getting indexed , entire file is not getting re-indexed again

My inputs.conf
[monitor:///apps/input/local/app_name/filename.txt]
index = test
sourcetype = test

My Props.conf
[source::///apps/input/local/app_name/filename.txt]
CHECK_METHOD = entire_md5

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...