What are recommendations for monitoring static fil...

renems · ‎10-28-2014

Hi all,

I tried searching for this issue, since I'd expect this question should be asked a numerous times already. Unfortunately I couldn't find a decent answer.

I have a bunch of files containing system information. It contains cpu, mem info, as well as architecture data etc. Really nice to have in splunk, to enrich existing queries. What is the best way of treating those in splunk? I'd like to get the same info every day, even though the contents did not change. I'm aware of the CRC SALt option, as well as the source::modtime. Can you help me to find the recommended way of dealing with static files?

vliggio · ‎12-17-2015

I believe that a lookup would be more appropriate for this. Look at http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsfromexternaldatasources

Ayn · ‎10-28-2014

Splunk's file monitor input isn't designed for re-reading data it has already read on some kind of schedule. My advice would be to create a scripted input that you run with the schedule you want and have the script you're calling output the data from whatever static file(s) you want to index.

What are recommendations for monitoring static files?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms