How to set continuous monitoring of an input file ...

surekhasplunk · ‎11-10-2016

Hi,

I have Splunk installed on my local Windows machine.
From Splunk Web url, am doing below steps
Settings -> Add data -> Monitor Data ->Add sourcetype add index and submit

Data is coming from the xlsheet correctly under correct index and sourcetype, but problem is when the xlsheet file changes the changed data doesn't come up until i add the same file again from data inputs and do the same steps again.

Can someone please help on how to get the data indexed in Splunk as soon as the input file gets updated.

Thanks

gcusello · ‎11-11-2016

Hi surekhasplunk ,
when you say "xlsheet file changes" do you mean that there are additional lines on the top of the file or that any cells are changed?
Because the changed cells aren't taken by new loads, you can only load the new lines.
If you want to take changes, you have to reload the entire file and manage duplicates with dedup command; if you do this, remember to insert in your inputs.conf stanza the crcSalt= option.

Bye.
Giuseppe

surekhasplunk · ‎11-11-2016

when I say xlsheet changes I mean new rows get added to the bottom of the file.
So if I add this line "crcSalt= option" to inputs.conf file for my input file I need not have to reload again and again right

gcusello · ‎11-11-2016

Splunk check the first charachters of a file, if modified take the new lines, could you insert the new lines in the beginning of your file instead the bottom?
Bye.
Giuseppe

surekhasplunk · ‎11-11-2016

Yes off course....

sk314 · ‎11-10-2016

When you click on Settings->Add Data->Monitor Data->Files & Directories, are you making sure the "Continuously Monitor" setting is selected instead of "Index Once"?

How to set continuous monitoring of an input file so that it gets indexed as the file gets updated?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes