hi,
I have lot of csv files under a directory "/opt/splunk/splunkdata/June2014". when i ask splunk to index complete directory, it does not show many files in "search". is it because most of my files have same contents ? How do i make splunk ignore this? fyi., my file names are different.
should i modify crcSalt under "/opt/splunk/etc/system/default" ?if so, to what value?
HI,
i was able to solve this problem. there were many input.conf files in different directories as mentioned below and i included crcSalt=
/opt/splunk/etc/apps/launcher/local/inputs.conf
/opt/splunk/etc/system/local/inputs.conf
/opt/splunk/etc/system/default/inputs.conf
/opt/splunk/etc/system/default/inputs.conf
Any customization to this file might be overwritten if splunk is upgraded.
Better stick changes in
/opt/splunk/etc/system/local/inputs.conf only
HI Amit,
inputs.conf under "/opt/splunk/etc/system/default" is already having "crcSalt =
[batch://$SPLUNK_HOME/var/spool/splunk]
move_policy = sinkhole
crcSalt =
[batch://$SPLUNK_HOME/var/spool/splunk/...stash_new]
queue = stashparsing
sourcetype = stash_new
move_policy = sinkhole
crcSalt =
crcSalt = <SOURCE>
should help you.
More about that here