new files added to the directory are not getting i...

ankitarath2011 · ‎04-27-2023

We are trying to ingest data from csv files. We have a monitoring stanza in inputs.conf which monitors all csv in a folder.
Copied one file to that folder and data got ingested. After that tried copying new files to that folder but it stopped ingesting.
New file is quite different than previous one. Have also tried different index/props, but same issue
New files added to the directory are not getting ingested until you restart Splunk.

Below is the monitoring stanza and props that we used. The inputs and props are in Heavy Forwarder and it is sending data to indexer cluster.

[monitor:///f1/f2/f3/*.csv]
disabled = 0
index = test_input
sourcetype = test
initCrcLength = 2048
_TCP_ROUTING = test_indexer
crcSalt =<SOURCE>

Below is the props.

[test]
INDEXED_EXTRACTIONS = csv
CHECK_FOR_HEADER = true
HEADER_FIELD_LINE_NUMBER = 1
TIMESTAMP_FIELDS = mytime
TIME_FORMAT = %Y-%m-%d %H:%M:%S
FIELD_DELIMITER = ,
KV_MODE = none
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true

new files added to the directory are not getting ingested until you restart Splunk

troubleshooting

using Splunk Enterprise

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?