Splunk file monitoring issue

uagraw01 · ‎03-06-2024

walmart_2.xml

walmart_3.xml

walmart_4.xml

Scenerio I

When using below configuration in Inputs.conf we can able to monitor in splunk

[monitor://D:\scada_server\walmart_2.xml]

disabled = false

host = WALVAU-VIDI-1

index = 2313917_2797418_scada

sourcetype = Scada_walmart_alarm

crcSalt = <SOURCE>

CHECK_METHOD = entire_md5

Scenerio 2

Hello Splunkers!!

I need your help to fix this issue.
When using below configuration in Inputs.conf we can't able to monitor in splunk.

[monitor://D:\scada_server\walmart_*.xml]

disabled = false

host = WALVAU-VIDI-1

index = 2313917_2797418_scada

sourcetype = Scada_walmart_alarm

crcSalt = <SOURCE>

CHECK_METHOD = entire_md5

Please suggest some workaround.

kiran_panchavat · ‎03-06-2024

@uagraw01 Hello, All files with the.xml extension, such as /scada_server/walmart_1.xml, /scada_server/walmart_2.xml, /scada_server/walmart_3.xml, and so forth, are matched by /walmart_*.xml. Could you please verify the permissions for every file inside this directory?And also, You can try to remove the CrCSalt and try.

Check the below document for more examples:

https://docs.splunk.com/Documentation/Splunk/latest/Data/Specifyinputpathswithwildcards

gcusello · ‎03-06-2024

Hi @uagraw01,

sorry but I don't understand your question, anyway, then, why do are using crcSalt=<SOURCE>?

please try this:

[monitor://D:\scada_server\walmart_*.xml]
disabled = false
host = WALVAU-VIDI-1
index = 2313917_2797418_scada
sourcetype = Scada_walmart_alarm
CHECK_METHOD = entire_md5

Then why are you using a so complex index?

Ciao.

Giuseppe

uagraw01 · ‎03-06-2024

@gcusello @kiran_panchavat I have permission on the directory as well. I tried without using crcSalt as well. But no luck was found.

Splunk file monitoring issue

other

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?