Monitoring Splunk
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk file monitoring issue

uagraw01
Motivator
‎03-06-2024 02:56 AM 
walmart_2.xml

walmart_3.xml

walmart_4.xml

Scenerio I

 

When using below configuration in Inputs.conf we can able to monitor in splunk
 

[monitor://D:\scada_server\walmart_2.xml]

disabled = false

host = WALVAU-VIDI-1

index = 2313917_2797418_scada

sourcetype = Scada_walmart_alarm

crcSalt = <SOURCE>

CHECK_METHOD = entire_md5

 

Scenerio 2

 

Hello Splunkers!!

I need your help to fix this issue.
When using below configuration in Inputs.conf we can't able to monitor in splunk.

 

[monitor://D:\scada_server\walmart_*.xml]

disabled = false

host = WALVAU-VIDI-1

index = 2313917_2797418_scada

sourcetype = Scada_walmart_alarm

crcSalt = <SOURCE>

CHECK_METHOD = entire_md5

 

Please suggest some workaround.

0 Karma
Reply

kiran_panchavat
Motivator
‎03-06-2024 03:20 AM

@uagraw01 Hello, All files with the.xml extension, such as /scada_server/walmart_1.xml, /scada_server/walmart_2.xml, /scada_server/walmart_3.xml, and so forth, are matched by /walmart_*.xml. Could you please verify the permissions for every file inside this directory?And also,  You can try to remove the CrCSalt and try. 

Check the below document for more examples: 

https://docs.splunk.com/Documentation/Splunk/latest/Data/Specifyinputpathswithwildcards 

 

I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-06-2024 03:12 AM

Hi @uagraw01,

sorry but I don't understand your question, anyway, then, why do are using crcSalt=<SOURCE>?

please try this:

[monitor://D:\scada_server\walmart_*.xml]
disabled = false
host = WALVAU-VIDI-1
index = 2313917_2797418_scada
sourcetype = Scada_walmart_alarm
CHECK_METHOD = entire_md5

Then why are you using a so complex index?

Ciao.

Giuseppe

0 Karma
Reply

uagraw01
Motivator
‎03-06-2024 04:31 AM

@gcusello @kiran_panchavat I have permission on the directory as well. I tried without using crcSalt as well. But no luck was found.

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top