Getting Data In

Is there any way to tell Splunk to read a file(csv) in a particular period of time ?

thippeshaj
Explorer

Is there any way to tell Splunk to read a file(csv) in a particular period of time ?

Splunk should read a file only from 07:00PM to 07:30PM

Please let me know if any way to do it.

0 Karma
1 Solution

muebel
SplunkTrust
SplunkTrust

Hi thippeshaj, Generally there isn't any configuration for a monitor stanza to prompt it to stop/start reading at certain times. One workaround would be to create a scheduled task to disable/enable to the monitor stanza for this input at specific times of the day. You could edit the configuration file directly with a script, or use the Splunk commandline to disable/enable the input. http://docs.splunk.com/Documentation/Splunk/latest/Admin/CLIadmincommands

Alternatively you might have luck with "monitorNoHandle" type input as described in the inputs.conf spec http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf . This type of input just monitors for file writes, and doesn't maintain a handle on the actual file, which sounds to be something related to the original issue.

Please let me know if this answers your question!

View solution in original post

0 Karma

woodcock
Esteemed Legend
0 Karma

muebel
SplunkTrust
SplunkTrust

Hi thippeshaj, Generally there isn't any configuration for a monitor stanza to prompt it to stop/start reading at certain times. One workaround would be to create a scheduled task to disable/enable to the monitor stanza for this input at specific times of the day. You could edit the configuration file directly with a script, or use the Splunk commandline to disable/enable the input. http://docs.splunk.com/Documentation/Splunk/latest/Admin/CLIadmincommands

Alternatively you might have luck with "monitorNoHandle" type input as described in the inputs.conf spec http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf . This type of input just monitors for file writes, and doesn't maintain a handle on the actual file, which sounds to be something related to the original issue.

Please let me know if this answers your question!

0 Karma

javiergn
SplunkTrust
SplunkTrust

Hi,

I was able to replicate your requirement with the following (simply replace hour = 12 with hour = 19 and then specify the name of your csv):

| stats count
| addinfo
| eval hour = strftime(info_search_time, "%H")
| eval minutes = strftime(info_search_time, "%M")
| where hour = 12 AND minutes < 30
| map search="| inputcsv mycsv.csv"
0 Karma

thippeshaj
Explorer

No I don't want to filter it from the search head I want to apply some config.
The reason is when Splunk trying to read a file it is not allowing the jobs to update the same file... it is telling that the file is already using by Splunk so we can't update the csv. During some period of time lets say 7pm to 7:30pm no jobs will be running so I can easily read the file.

0 Karma

jmallorquin
Builder

Hi,

Are you sure that splunk is the problem? Very rare, splunk is prepared to read files while they are updated.

0 Karma

thippeshaj
Explorer

Hi,
Yeah I know but in this case this is the only solution and even I have another same requirement also,
I want the solution as stated in my query.

0 Karma

jmallorquin
Builder

Hi,

Have you thought in a cron script to change the permissions of the file to control the access to splunk user?

I dont see other solution

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...