How to index json files that or monitor json files

wm · ‎08-23-2024

this is inputs.conf

[monitor://D:\temp\zkstats*.json]
crcSalt = <SOURCE>
disabled = false
followTail = 0
index = abc
sourcetype = zk_stats

props.conf

[zk_stats]
KV_MODE = json
INDEXED_EXTRACTIONS = json

however my search code index=abc sourcetype = zk_stats is not getting new events. meaning to say if zkstats20240824_0700 for example new files coming in it wont re index

PickleRick · ‎08-27-2024

1. Check your

splunk list monitor

and

splunk list inputstatus

output

2. Why use crcSalt?

3. Don't use KV_MODE=json when you're using INDEXED_EXTRACTIONS=json and vice versa. (that's not connected to the problem at hand but useful anyway)

wm · ‎08-27-2024

How to check the splunk lsit monitor/ where etc

wm · ‎08-26-2024

Logs mentions this
08-27-2024 13:00:20.824 +0800 INFO TailingProcessor [32248 MainTailingThread] - Parsing configuration stanza: monitor://D:\temp\zkstats.json.

wm · ‎08-26-2024

[sourcetype]
KV_MODE = json
INDEXED_EXTRACTIONS = json

This is my props.conf

I am not able to actually get data in to even consider the crcsalt source

gcusello · ‎08-26-2024

Hi @wm ,

don't use crcSalt = <SOURCE> in your inputs.conf.

Ciao.

Giuseppe

gcusello · ‎08-23-2024

Hi @wm ,

why are you using crcSalt=<SOURCE> ?

It's usually used to reindex already indexed data, usually isn't useful.

try to delete it.

Ciao.

Giuseppe

How to index json files that or monitor json files

error

proactive Splunk component monitoring

splunk-assist

splunkd

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?