Monitoring Splunk

How to index json files that or monitor json files

wm
Loves-to-Learn Everything

this is inputs.conf 

[monitor://D:\temp\zkstats*.json]
crcSalt = <SOURCE>
disabled = false
followTail = 0
index = abc
sourcetype = zk_stats

props.conf

[zk_stats]
KV_MODE = json
INDEXED_EXTRACTIONS = json

however my search code index=abc sourcetype = zk_stats is not getting new events. meaning to say if zkstats20240824_0700 for example new files coming in it wont re index

0 Karma

PickleRick
SplunkTrust
SplunkTrust

1. Check your

splunk list monitor

and

splunk list inputstatus

output

2. Why use crcSalt?

3. Don't use KV_MODE=json when you're using INDEXED_EXTRACTIONS=json and vice versa. (that's not connected to the problem at hand but useful anyway)

 

0 Karma

wm
Loves-to-Learn Everything

How to check the splunk lsit monitor/ where etc

0 Karma

wm
Loves-to-Learn Everything

Logs mentions this
08-27-2024 13:00:20.824 +0800 INFO TailingProcessor [32248 MainTailingThread] - Parsing configuration stanza: monitor://D:\temp\zkstats.json.

0 Karma

wm
Loves-to-Learn Everything

[sourcetype]
KV_MODE = json
INDEXED_EXTRACTIONS = json

This is my props.conf

I am not able to actually get data in to even consider the crcsalt source

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @wm ,

don't use crcSalt = <SOURCE> in your inputs.conf.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @wm ,

why are you using crcSalt=<SOURCE> ?

It's usually used to reindex already indexed data, usually isn't useful.

try to delete it.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

Sooooooooooo, guess what. .conf25 is almost here, and if you're on the Security Learning Path, this is your ...

First Steps with Splunk SOAR

Our first step was to gather a list of the playbooks we wanted and to sort them by priority.  Once this list ...

How To Build a Self-Service Observability Practice with Splunk Observability Cloud

If you’ve read our previous post on self-service observability, you already know what it is and why it ...