Solved: Issue with indexing multiple files from same folde...

k_harini · ‎10-23-2017

Hi,
I would like to index files into different indexes which are residing in same folder. I did whitelisting. But only first file in folder got indexed successfully. Other 2 files are not indexed.

[monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\]
disabled = false
index = aof_prime_idx
sourcetype = aof_tm_source
whitelist = (prime.*\.csv)
crcSalt = <SOURCE>

[monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\]
disabled = false
index = aof_architect_idx
sourcetype = aof_tm_source
whitelist = (Architect.*\.csv)
crcSalt = <SOURCE>

[monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\]
disabled = false
index = aof_archade_idx
sourcetype = aof_tm_source
whitelist = (archade.*\.csv)
crcSalt = <SOURCE>

what could be the reason. ? How can i achieve this in a different way? please provide some pointers

harsmarvania57 · ‎10-23-2017

Hi @k_harini,

When you define multiple monitor stanza with same directory path in inputs.conf, Splunk will consider only one monitor stanza.

In your case you can configure inputs.conf as below

 [monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\prime.*.csv]
 disabled = false
 index = aof_prime_idx
 sourcetype = aof_tm_source
 crcSalt = <SOURCE>

 [monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\Architect.*.csv]
 disabled = false
 index = aof_architect_idx
 sourcetype = aof_tm_source
 crcSalt = <SOURCE>

 [monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\archade.*.csv]
 disabled = false
 index = aof_archade_idx
 sourcetype = aof_tm_source
 crcSalt = <SOURCE>

View solution in original post

harsmarvania57 · ‎10-23-2017

Hi @k_harini,

When you define multiple monitor stanza with same directory path in inputs.conf, Splunk will consider only one monitor stanza.

In your case you can configure inputs.conf as below

 [monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\prime.*.csv]
 disabled = false
 index = aof_prime_idx
 sourcetype = aof_tm_source
 crcSalt = <SOURCE>

 [monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\Architect.*.csv]
 disabled = false
 index = aof_architect_idx
 sourcetype = aof_tm_source
 crcSalt = <SOURCE>

 [monitor://C:\Program Files\Splunk\etc\apps\test\testdata\certification_data\archade.*.csv]
 disabled = false
 index = aof_archade_idx
 sourcetype = aof_tm_source
 crcSalt = <SOURCE>

k_harini · ‎10-24-2017

This worked with some slight modifications. Thanks!

zanb · ‎02-03-2019

What were your modifications? Please post details of solutions, as "this worked with some slight modifications" helps no one else with the same issue! Thank you!

k_harini · ‎10-23-2017

Thanks a lot. I will try this now

k_harini · ‎10-24-2017

This did not work.. none of files got indexed 😞

lloydknight · ‎10-23-2017

Hello @k_harini

May I ask if what are you trying achieve?

try changing the sourcetype name per index.

Issue with indexing multiple files from same folder

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms