Reindex file with same data but different timestam...

AnmolKohli · ‎01-17-2019

There is a file which has same data but file is deleted after few hours and placed again with same data but different timestamp. Splunk has indexed the data once but I want an alert to be triggered whenever the timestamp of the file has changed. Since the file is not getting indexed again I am unable to take care of the same. Anything that can be done to solve this?

nikita_p · ‎01-17-2019

Hi,
If you want to reindex your data then your will have to add crcSalt in your inputs.conf.

By default, the input only performs CRC checks against the first 256 bytes of a file. This behavior prevents the input from indexing the same file twice, even though you might have renamed it, as with rolling log files, for example. Because the CRC is based on only the first few lines of the file, it is possible for legitimately different files to have matching CRCs, particularly if they have identical headers.
If set, string is added to the CRC.
If set to the literal string "SOURCE" (including the angle brackets), the full directory path to the source file is added to the CRC. This ensures that each file being monitored has a unique CRC. When crcSalt is invoked, it is usually set to SOURCE.
Be cautious about using this setting with rolling log files; it could lead to the log file being re-indexed after it has rolled.
In many situations, initCrcLength can be used to achieve the same goals.
Default: empty string.

Reindex file with same data but different timestamp

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation