Reindex file with same data but different timestam...

AnmolKohli · ‎01-17-2019

There is a file which has same data but file is deleted after few hours and placed again with same data but different timestamp. Splunk has indexed the data once but I want an alert to be triggered whenever the timestamp of the file has changed. Since the file is not getting indexed again I am unable to take care of the same. Anything that can be done to solve this?

nikita_p · ‎01-17-2019

Hi,
If you want to reindex your data then your will have to add crcSalt in your inputs.conf.

By default, the input only performs CRC checks against the first 256 bytes of a file. This behavior prevents the input from indexing the same file twice, even though you might have renamed it, as with rolling log files, for example. Because the CRC is based on only the first few lines of the file, it is possible for legitimately different files to have matching CRCs, particularly if they have identical headers.
If set, string is added to the CRC.
If set to the literal string "SOURCE" (including the angle brackets), the full directory path to the source file is added to the CRC. This ensures that each file being monitored has a unique CRC. When crcSalt is invoked, it is usually set to SOURCE.
Be cautious about using this setting with rolling log files; it could lead to the log file being re-indexed after it has rolled.
In many situations, initCrcLength can be used to achieve the same goals.
Default: empty string.

Reindex file with same data but different timestamp

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life