Solved: Why is Splunk failing to index files I have config... - Splunk Community

Getting Data In

Hi All,

I'm running a Windows Splunk to monitor this log file stored in this directory H:\apps\apps1-xxx.csv where xxx is in date format.
My inputs.conf contains this stanza:

[monitor://H:\apps]
disabled = false
sourcetype = OHWM
index = ohwm
whitelist = apps1.*\.csv$
crcSalt = apps1.*\.csv$
ignoreOlderThan = 7d

So far Splunk failed to index those files with dates after creation of input. Does anyone what is wrong with this?

Thanks and appreciate for any help!

1 Solution

Solution

Give this a try. Need to restart Splunkd service on the server where you have this inputs.conf.

[monitor://H:\apps\apps1*.csv]
 disabled = false
 sourcetype = OHWM
 index = ohwm
 crcSalt = <SOURCE>
 ignoreOlderThan = 7d

View solution in original post

Solution

Give this a try. Need to restart Splunkd service on the server where you have this inputs.conf.

[monitor://H:\apps\apps1*.csv]
 disabled = false
 sourcetype = OHWM
 index = ohwm
 crcSalt = <SOURCE>
 ignoreOlderThan = 7d

didn't work..

Are all the files have modified date within 7 days (since you're using ignoreOlderThan attribute)? Can you open Command Prompt and run this command to check if you see those files in the output
(check Splunk install directory)

cmd> "c:\program files\Splunk\bin\splunk.exe" list monitor

somehow it got working after a pc restart

Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now! In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...