Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to index json files that or monitor json files

wm
Loves-to-Learn Everything
‎08-23-2024 02:18 AM

this is inputs.conf 

[monitor://D:\temp\zkstats*.json]
crcSalt = <SOURCE>
disabled = false
followTail = 0
index = abc
sourcetype = zk_stats

props.conf

[zk_stats]
KV_MODE = json
INDEXED_EXTRACTIONS = json

however my search code index=abc sourcetype = zk_stats is not getting new events. meaning to say if zkstats20240824_0700 for example new files coming in it wont re index

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-27-2024 04:36 AM

1. Check your

splunk list monitor

and

splunk list inputstatus

output

2. Why use crcSalt?

3. Don't use KV_MODE=json when you're using INDEXED_EXTRACTIONS=json and vice versa. (that's not connected to the problem at hand but useful anyway)

 

0 Karma
Reply

wm
Loves-to-Learn Everything
‎08-27-2024 06:55 PM

How to check the splunk lsit monitor/ where etc

0 Karma
Reply

wm
Loves-to-Learn Everything
‎08-26-2024 10:11 PM

Logs mentions this
08-27-2024 13:00:20.824 +0800 INFO TailingProcessor [32248 MainTailingThread] - Parsing configuration stanza: monitor://D:\temp\zkstats.json.

0 Karma
Reply

wm
Loves-to-Learn Everything
‎08-26-2024 09:57 PM

[sourcetype]
KV_MODE = json
INDEXED_EXTRACTIONS = json

This is my props.conf

I am not able to actually get data in to even consider the crcsalt source

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-26-2024 11:10 PM

Hi @wm ,

don't use crcSalt = <SOURCE> in your inputs.conf.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-23-2024 02:49 AM

Hi @wm ,

why are you using crcSalt=<SOURCE> ?

It's usually used to reindex already indexed data, usually isn't useful.

try to delete it.

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...