Solved: SPLUNK doesn't pick same content with different fi...

AKG1_old1 · ‎09-27-2016

Hello,

I want to monitor multiple files which contain same content but different file name.

For example:
counts_sybase15_2016-09-26-12-20-21_START.log
counts_sybase15_2016-09-26-13-02-18_STOP.log

these files are in same folder and having same size but splunk is picking only 1 file.

Is there any specific configuration which make splunk to pick differernt file without consent of content ?

Regards,
Ankit

somesoni2 · ‎09-27-2016

You would need to setup crcSalt attribute (with value <SOURCE>) in the inputs.conf for your monitoring stanza to force Splunk to index same data with different file name.

[monitor://....]
..other attributes..
crcSalt = <SOURCE>

Look at inputs.conf specification for more details on the attribute.
https://docs.splunk.com/Documentation/Splunk/6.4.3/Admin/Inputsconf

View solution in original post

somesoni2 · ‎09-27-2016

You would need to setup crcSalt attribute (with value <SOURCE>) in the inputs.conf for your monitoring stanza to force Splunk to index same data with different file name.

[monitor://....]
..other attributes..
crcSalt = <SOURCE>

Look at inputs.conf specification for more details on the attribute.
https://docs.splunk.com/Documentation/Splunk/6.4.3/Admin/Inputsconf

SPLUNK doesn't pick same content with different file name.

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation