Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- Monitoring a text file Issue
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Monitoring a text file Issue
I am trying to extract some information from a text file. This is how my inputs.conf looks like,
[monitor://C:\Temp\ServerInfo_Tag.txt]
sourcetype = ABC
index = filelog
crcSalt =
I pushed this config across 4000 windows servers. Ideally Splunk should pickup the file content as soon as the config is pushed.
But strange thing here is, I can see the file content as an event on Splunk for ONLY 3000 servers.
For the other 1000 servers I have to modify the file to get the file content on Splunk.
Is there a way to get the file content without modifying the file?
Config doesn't seem to be an issue here as it it working for other servers and there are no port related issues on the other 1000 servers as I can see the data on Splunk after modifying the file.
Any suggestions here are highly appreciated.
Thanks,
Channesh
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would check splunkd.log (index=_internal sourcetype=splunkd host=yourWinServer) for errors for the file. Are you restarting splunk on your windows servers after pushing the configurations (handled by restartSplunkd attribute on serverclass.conf)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@somesoni2 Log has this information which is hard to understand.
03-12-2019 11:21:56.938 -0400 INFO TailingProcessor - Parsing configuration stanza: monitor://C:\CWXTI\ServerInfo_Tag.txt.
03-12-2019 11:21:56.938 -0400 INFO TailReader - State transitioning from 1 to 0 (initOrResume).
03-12-2019 11:21:56.938 -0400 INFO TailReader - State transitioning from 1 to 0 (initOrResume).
03-12-2019 11:21:56.938 -0400 INFO TailingProcessor - Adding watch on path: C:\CWXTI\ServerInfo_Tag.txt.
Yes, servers are being restarted after pushing the configurations.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@somesoni2 I could these logs related to the file I am monitoring.
03-12-2019 11:21:56.938 -0400 INFO TailingProcessor - Parsing configuration stanza: monitor://C:\CWXTI\ServerInfo_Tag.txt.
03-12-2019 11:21:56.938 -0400 INFO TailingProcessor - Parsing configuration stanza: monitor://C:\Program Files\CernerESM\sentinel\sentinel.config.
03-12-2019 11:21:56.938 -0400 INFO TailReader - State transitioning from 1 to 0 (initOrResume).
03-12-2019 11:21:56.938 -0400 INFO TailReader - State transitioning from 1 to 0 (initOrResume).
03-12-2019 11:21:56.938 -0400 INFO TailingProcessor - Adding watch on path: C:\CWXTI\ServerInfo_Tag.txt.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[monitor://C:\CWXTI\ServerInfo_Tag.txt]
crcSalt =
sourcetype = SENT
index = wineventlog
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
