- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- indexing a file uploaded with same filename
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
indexing a file uploaded with same filename
Hi,
scenario: a log uploader application helps in uploading logs to a directory. let it be splunkdata/timeofupload/yourid/splogs/filename.
regex used to monitor files are like
/splunkdata/.../.../...splogs/*
doubt1: will a file with different id but same filename can be indexed in splunk?
doubt2: will a file with same filename but different content and is can be indexed in splunk?
doubt3: will a file with same id same filename but different content can be indexed?
What settings do i have to change to get these features..
please help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As the previous answer says, Splunk builds a CRC of the first 256 bytes, in http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf you can edit the crcSalt to include the source path in the CRC check to ensure the same files in different locations get indexed and you could always change the initCrcLength to capture a larger portion of the file if the header changes through the file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you define the crcsalt you define the full path of the file, the actual filename being the same makes no difference so it will still be read
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
smolcj stated that contents are different, what may be equal is the filename (in different folders). So I guess he doesn't need to set crcSalt nor initCrcLength parameters.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi smolcj,
Splunk index files calculating the CRC with the first 256 characters of the file. So, if you have files with same name in different directories, Splunk checks file contents and if first 256 chars differs, they will be both indexed.
To be sure, configure your input like this:
[monitor:///splunkdata/timeofupload/*/splogs/*]
This way you are telling Splunk to monitor all timeupload subfolders which have files in splogs subfolder. To gain a better understanding, you can check the docs:
http://docs.splunk.com/Documentation/Splunk/5.0/Data/Monitorfilesanddirectories
Regards,
Stefano
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how can we specify timeofupload statically? it is calculated according to the time of the log uploaded and a directory is created using that name and log is saved inside that directory
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This doesn't quite resolve the issue of the CRC though
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
