csv file should be synced with splunk so that next time I changed the data in csv file, it should reflect automatically in splunk
Create a Lookup file
on your search head and then link to this file by creating a Lookup table
. Then, using the CLI on your Search Head, use soft link
or rsysnc
or other method, create your automatic synchronization of the files such that when the source file is updated, the Lookup file
on the Search Head is also updated. You can also put a Deployment Server
in the middle.
how about using the monitor stanza to monitor that csv file?
docs:
http://docs.splunk.com/Documentation/Splunk/6.6.0/Data/Extractfieldsfromfileswithstructureddata
answers (there are plenty):
https://answers.splunk.com/answers/29418/step-by-step-adding-a-new-csv-datasource.html