Solved: SPLUNK doesn't pick same content with different fi...

AKG1_old1 · ‎09-27-2016

Hello,

I want to monitor multiple files which contain same content but different file name.

For example:
counts_sybase15_2016-09-26-12-20-21_START.log
counts_sybase15_2016-09-26-13-02-18_STOP.log

these files are in same folder and having same size but splunk is picking only 1 file.

Is there any specific configuration which make splunk to pick differernt file without consent of content ?

Regards,
Ankit

somesoni2 · ‎09-27-2016

You would need to setup crcSalt attribute (with value <SOURCE>) in the inputs.conf for your monitoring stanza to force Splunk to index same data with different file name.

[monitor://....]
..other attributes..
crcSalt = <SOURCE>

Look at inputs.conf specification for more details on the attribute.
https://docs.splunk.com/Documentation/Splunk/6.4.3/Admin/Inputsconf

View solution in original post

somesoni2 · ‎09-27-2016

You would need to setup crcSalt attribute (with value <SOURCE>) in the inputs.conf for your monitoring stanza to force Splunk to index same data with different file name.

[monitor://....]
..other attributes..
crcSalt = <SOURCE>

Look at inputs.conf specification for more details on the attribute.
https://docs.splunk.com/Documentation/Splunk/6.4.3/Admin/Inputsconf

SPLUNK doesn't pick same content with different file name.

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Are you a member of the Splunk Community?

SPLUNK doesn't pick same content with different file name.

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management