Solved: Changing inputs.conf to include previously scanned...

tyronetv · ‎11-06-2013

When initially set up my splunk install is set to capture only the most recent version of a log:

/path/to/log/dir/logfile.

Well, sometimes, due to maintenance, etc., Splunk is shut off and when restarted I have to go through the process of reloading (via oneshot) the data from logfile.1 logfile.2 logfile.3 . . . to get caught up.

On systems I've set up, I just have inputs.conf configured for /path/to/log/dir with a whitelist on logfile*$

What will happen if I change the previous configuration? Will it re-index all the previous logfile.\d+$ files or is it self-aware enough to not do that?

kristian_kolb · ‎11-06-2013

Normally splunk will not re-index a file it has already seen (as it keeps track of what has already been indexed in a special index called the fishbucket).

http://docs.splunk.com/Documentation/Splunk/6.0/Data/MonitorFilesAndDirectories#How_monitor_works_in...
http://docs.splunk.com/Documentation/Splunk/6.0/Data/HowLogFileRotationIsHandled
http://wiki.splunk.com/Community:HowSplunkReadsInputFiles
http://blogs.splunk.com/2008/08/14/what-is-this-fishbucket-thing/

/K

View solution in original post

kristian_kolb · ‎11-06-2013

Normally splunk will not re-index a file it has already seen (as it keeps track of what has already been indexed in a special index called the fishbucket).

http://docs.splunk.com/Documentation/Splunk/6.0/Data/MonitorFilesAndDirectories#How_monitor_works_in...
http://docs.splunk.com/Documentation/Splunk/6.0/Data/HowLogFileRotationIsHandled
http://wiki.splunk.com/Community:HowSplunkReadsInputFiles
http://blogs.splunk.com/2008/08/14/what-is-this-fishbucket-thing/

/K

Changing inputs.conf to include previously scanned files

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases