Solved: SPLUNK doesn't pick same content with different fi...

AKG1_old1 · ‎09-27-2016

Hello,

I want to monitor multiple files which contain same content but different file name.

For example:
counts_sybase15_2016-09-26-12-20-21_START.log
counts_sybase15_2016-09-26-13-02-18_STOP.log

these files are in same folder and having same size but splunk is picking only 1 file.

Is there any specific configuration which make splunk to pick differernt file without consent of content ?

Regards,
Ankit

somesoni2 · ‎09-27-2016

You would need to setup crcSalt attribute (with value <SOURCE>) in the inputs.conf for your monitoring stanza to force Splunk to index same data with different file name.

[monitor://....]
..other attributes..
crcSalt = <SOURCE>

Look at inputs.conf specification for more details on the attribute.
https://docs.splunk.com/Documentation/Splunk/6.4.3/Admin/Inputsconf

View solution in original post

somesoni2 · ‎09-27-2016

You would need to setup crcSalt attribute (with value <SOURCE>) in the inputs.conf for your monitoring stanza to force Splunk to index same data with different file name.

[monitor://....]
..other attributes..
crcSalt = <SOURCE>

Look at inputs.conf specification for more details on the attribute.
https://docs.splunk.com/Documentation/Splunk/6.4.3/Admin/Inputsconf

SPLUNK doesn't pick same content with different file name.

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!