Hi All,
I'm running a Windows Splunk to monitor this log file stored in this directory H:\apps\apps1-xxx.csv where xxx is in date format.
My inputs.conf contains this stanza:
[monitor://H:\apps]
disabled = false
sourcetype = OHWM
index = ohwm
whitelist = apps1.*\.csv$
crcSalt = apps1.*\.csv$
ignoreOlderThan = 7d
So far Splunk failed to index those files with dates after creation of input. Does anyone what is wrong with this?
Thanks and appreciate for any help!
Give this a try. Need to restart Splunkd service on the server where you have this inputs.conf.
[monitor://H:\apps\apps1*.csv]
disabled = false
sourcetype = OHWM
index = ohwm
crcSalt = <SOURCE>
ignoreOlderThan = 7d
Give this a try. Need to restart Splunkd service on the server where you have this inputs.conf.
[monitor://H:\apps\apps1*.csv]
disabled = false
sourcetype = OHWM
index = ohwm
crcSalt = <SOURCE>
ignoreOlderThan = 7d
didn't work..
Are all the files have modified date within 7 days (since you're using ignoreOlderThan attribute)? Can you open Command Prompt and run this command to check if you see those files in the output
(check Splunk install directory)
cmd> "c:\program files\Splunk\bin\splunk.exe" list monitor
somehow it got working after a pc restart