Im my case , i want a file to be completely reindex irrespective of the changes made at the first, middle or at the bottom of the file.
When changes are made at bottom of the file , like adding 2 lines at the bottom , i want splunk to consider it as a new file and reindex the the complete file instead of adding only 2 lines to the index
Here the file name will not be changed, only data inside the file will be updated.
I have tried crcSalt = < SOURCE> in my inputs.conf , but it didnt work
is there any way to make splunk to reindex the file again?
Hello there @NAVEEN_CTS
Have u try this?
[sourcetype]
CHECK_METHOD = entire_md5
...
Where should i add this? inputs.conf or props.conf ?
Currently my set up is like UF --> HF--> IDX
I do some extraction at HF using the sourcetype.
props.conf in the UF
@alemarzu It didnt help as well....same result
I see, u should probably have to apply that settings over your source rather than sourcetype.
[source::PATH_FILE]
CHECK_METHOD = entire_md5
Hi @alemarzu , Still it didn't work
My config is as below, only new changes are getting indexed , entire file is not getting re-indexed again
My inputs.conf
[monitor:///apps/input/local/app_name/filename.txt]
index = test
sourcetype = test
My Props.conf
[source::///apps/input/local/app_name/filename.txt]
CHECK_METHOD = entire_md5