Hello All
I tried to Extract the Files and Created Monitor Stanza For it and It Worked.
But the Upload Method is Much more Convenient in Our Case
I noticed Also that the Previously Uploaded Files Doesn't Index any New Data (after Deleting and Creating New Index or Deleting Events Using the |Delete Search Command).
after some Readings I Got to Know that Splunk Doesn't Re-index Duplicate Files (CRCing the first 265 bytes of a file) and one can Configure crcSalt in inputs.conf .
But I'm not sure if this Can work with Web Uploaded or CLI ( oneshot ) indexed Files.
the other thing that I Came Across is (I'm also not sure also if this is Right as it was in the Forums) that Splunk Caches the Automatically Assigned SourceType of a file for 5 Minutes will will not recalculate it Before that time Elapses.
I spend Hours trying to Modify the Props.conf <source::> Stanzas and Kept on Retrying Deleting indexed Events
(also Deleting the Entire Index and Recreating it) and Re indexing it for the Same Archive Files with no luck, and I See that May be this is the Reason.
Appreciate if Someone Correct me if I'm Wrong, or Have Solution in mind.
Thanks
... View more