Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

After adding another file to a monitored directory, why is there no change in the search results for a report?

adityaanand
Explorer
‎05-26-2015 12:41 AM

Hi,

I am trying to monitor a directory called RSD and it contains a file RSDReport.xml.
When i start searching it shows 500 events and i made a simple report.
After some time, i added another file RSDReport1.xml in the RSD directory, but there are no changes in the search result.

Now my questions are:
1) should the report be automatically update without any event generated by me?
2) Should i run the search again?
3) Will I have to restart the splunk service?

One thing i would like to mention here is that both files don't contain the same initial 256 bytes
Again, when i added initCrcLength = 2000 in inputs.conf, restarted the splunk service, and ran the search again, it gave the expected output.
I am thinking that when i am monitoring a directory, then changes should be reflected automatically. We need not bother about to restart splunk service and re-run the search.

Please guide me about directory monitoring. I read documentation and i have a little bit idea about it.

Thanks,
Aditya

Tags (3)
0 Karma
Reply

woodcock
Esteemed Legend
‎05-26-2015 06:20 PM

I think you have a TZ issue with your timestamping and your "nowish" events are showing up "in the future". To test this, the next time you forward a file, run your search for all time which is the only way to see events mis-timestamped into the future. There is also a log that shows this. You can confirm this sort of a problem with this search:

... | eval lagSeconds = _indextime - _time | stats avg(lagSeconds) by sourcetype,host,index

If the lagTime is negative, then you definitely have this problem.

0 Karma
Reply
Get Updates on the Splunk Community!

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...