new files added to the directory are not getting i...

ankitarath2011 · ‎04-27-2023

We are trying to ingest data from csv files. We have a monitoring stanza in inputs.conf which monitors all csv in a folder.
Copied one file to that folder and data got ingested. After that tried copying new files to that folder but it stopped ingesting.
New file is quite different than previous one. Have also tried different index/props, but same issue
New files added to the directory are not getting ingested until you restart Splunk.

Below is the monitoring stanza and props that we used. The inputs and props are in Heavy Forwarder and it is sending data to indexer cluster.

[monitor:///f1/f2/f3/*.csv]
disabled = 0
index = test_input
sourcetype = test
initCrcLength = 2048
_TCP_ROUTING = test_indexer
crcSalt =<SOURCE>

Below is the props.

[test]
INDEXED_EXTRACTIONS = csv
CHECK_FOR_HEADER = true
HEADER_FIELD_LINE_NUMBER = 1
TIMESTAMP_FIELDS = mytime
TIME_FORMAT = %Y-%m-%d %H:%M:%S
FIELD_DELIMITER = ,
KV_MODE = none
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true

new files added to the directory are not getting ingested until you restart Splunk

troubleshooting

using Splunk Enterprise

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation