Solved: Index File Daily

duffeysplunk · ‎02-09-2017

I have some files that I need to index daily even though they may not change in content for several days (for example over weekends). The files are generated daily so they have a new creation and modification time. How can I force splunk to automatically index the file daily or use something like creation or modification time?

gcusello · ‎02-10-2017

Hi duffeysplunk,
you have to insert in your inputs.conf the option crcSalt = <SOURCE> and in your props.conf CHECK_METHOD = modtime.
See
http://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Inputsconf
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf

Bye.
Giuseppe

View solution in original post

Rajeev · ‎06-11-2021

Hello,

Won't CHECK_METHOD=modtime lead to duplicate entries in splunk indexer as same data might get indexed again & again daily?

gcusello · ‎02-10-2017

Hi duffeysplunk,
you have to insert in your inputs.conf the option crcSalt = <SOURCE> and in your props.conf CHECK_METHOD = modtime.
See
http://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Inputsconf
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf

Bye.
Giuseppe

duffeysplunk · ‎02-10-2017

Thanks, that helped. I think I was mostly confused about where I put the CHECK_METHOD.

Index File Daily

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!