Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I configure Splunk to read in a log that is identical to another log int he same directory?

daniel333
Builder
‎08-12-2016 10:20 AM

All,

We have a report that runs every hour. Basically 10 line CSV. Might grow to 20 lines on an off week.
myreport-%date%.csv

It's populating a larger data set. 99% of the time the report will be identical the previous run how ever. Since it's only a few kilobytes in size I would just rather Splunk ingest the report every time. But I believe there is some mechanism in Splunk the prevents it from reading in a file identical to another file in the same directory. Anyway to disable this?

I tried crcSalt= and it only worked for one run.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎08-15-2016 07:27 AM

Are you using a monitor stanza?

I just saw your comment about tried crcSalt and it only worked for one run...

crcSalt should work fine as long as the %date% changes each time. If it's not changing... it needs to.

You could do something like this to add the hour and minutes to the file name via the date variable:

# loop through time /t output
for /f "tokens=1,2,3 delims=: " %%A IN ('Time /T') do set h=%%A & set m=%%B & set t=%%C
# remove space after hour
set h=%h: =%
# create the date variable out of tokens from above.
set %date%=%h%%m%%t%
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎08-12-2016 10:28 AM

in your inputs.conf, add this to the input stanza:

crcSalt=<SOURCE>

crcSalt = <string>
* Use this setting to force Splunk to consume files that have matching CRCs
  (cyclic redundancy checks).
    * (Splunk only performs CRC checks against, by default, the first 256 bytes
      a file. This behavior prevents Splunk from indexing the same file twice,
      even though you may have renamed it -- as, for example, with rolling log
      files. However, because the CRC is based on only the first few lines of
      the file, it is possible for legitimately different files to have matching
      CRCs, particularly if they have identical headers.)
* If set, <string> is added to the CRC.
* If set to the literal string <SOURCE> (including the angle brackets), the
  full directory path to the source file is added to the CRC. This ensures that
  each file being monitored has a unique CRC.   When crcSalt is invoked, it is
  usually set to <SOURCE>.
* Be cautious about using this attribute with rolling log files; it could lead
  to the log file being re-indexed after it has rolled.
* In many situations, initCrcLength can be used to achieve the same goals.
* Defaults to empty.
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...