Solved: Re: Send data from file even if there is no change

shreyasathavale · ‎02-24-2020

I have a file in a directory, whose timestamp is changed everyday using "touch" command. The contents might change after 3 months but not daily.
I need to monitor this file in splunk and read the contents even if they are same.

manjunathmeti · ‎02-24-2020

In props.conf set CHECK_METHOD = modtime for the source to check the modification time of the file.

props.conf

 [source::<file_path>]
 CHECK_METHOD = modtime

View solution in original post

manjunathmeti · ‎02-24-2020

In props.conf set CHECK_METHOD = modtime for the source to check the modification time of the file.

props.conf

 [source::<file_path>]
 CHECK_METHOD = modtime

shreyasathavale · ‎02-24-2020

I tried this but somehow it is not working

manjunathmeti · ‎02-24-2020

can you post inputs.conf and props.conf for this source?

shreyasathavale · ‎02-24-2020

Hi, these are the conf files
Inputs.conf is:
[monitor://D:\splunk\abc.csv]
disabled = false
index = main
sourcetype = abccsv

Props.conf:
[labccsv]
BREAK_ONLY_BEFORE = \d\d?:\d\d:\d\d
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Application
description = Output produced by any Java 2 Enterprise Edition (J2EE) application server using log4j
disabled = false
maxDist = 75
pulldown_type = true
CHECK_METHOD = modtime

manjunathmeti · ‎02-24-2020

CHECK_METHOD = modtime must be set for [source:] stanza only not sourcetype.

Add this to props.conf.

[source::D:\splunk\abc.csv]
CHECK_METHOD = modtime

shreyasathavale · ‎02-24-2020

That did the trick !!! Thanks!!

Send data from file even if there is no change

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases