I have a directory on the splunk server. There are xml files in the directory. I have setup a sourcetype for the xml files and setup the splunk to load data from the directory continuously.
But somehow, it just don't work. I can load individual files from the directory with the same sourcetype without any problem.
I have another directory with different xml files and sourcetype and setup load data continuously and it works fine.
Any idea?
Thanks
I'm copying this from another place, it might apply here. I should get a commission from splunk
"
Check your splunkd.log for any logs related to this. Perhaps the files are too similar and you are getting a crccheck issue (where the crc of the files is too similar and splunk doesnt index because it thinks its the same file. Basically the first 250 chars of the files are the same, in this case look for crcSalt in inputs.conf)
Please read input.conf.spec for more information on [batch://] and crcSalt.
"