Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to set continuous monitoring of an input file so that it gets indexed as the file gets updated?

surekhasplunk
Communicator
‎11-10-2016 09:06 AM

Hi,

I have Splunk installed on my local Windows machine.
From Splunk Web url, am doing below steps
Settings -> Add data -> Monitor Data ->Add sourcetype add index and submit

Data is coming from the xlsheet correctly under correct index and sourcetype, but problem is when the xlsheet file changes the changed data doesn't come up until i add the same file again from data inputs and do the same steps again.

Can someone please help on how to get the data indexed in Splunk as soon as the input file gets updated.

Thanks

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-11-2016 03:01 AM

Hi surekhasplunk ,
when you say "xlsheet file changes" do you mean that there are additional lines on the top of the file or that any cells are changed?
Because the changed cells aren't taken by new loads, you can only load the new lines.
If you want to take changes, you have to reload the entire file and manage duplicates with dedup command; if you do this, remember to insert in your inputs.conf stanza the crcSalt= option.

Bye.
Giuseppe

0 Karma
Reply

surekhasplunk
Communicator
‎11-11-2016 03:32 AM

when I say xlsheet changes I mean new rows get added to the bottom of the file.
So if I add this line "crcSalt= option" to inputs.conf file for my input file I need not have to reload again and again right

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-11-2016 07:23 AM

Splunk check the first charachters of a file, if modified take the new lines, could you insert the new lines in the beginning of your file instead the bottom?
Bye.
Giuseppe

0 Karma
Reply

surekhasplunk
Communicator
‎11-11-2016 01:34 AM

Yes off course....

0 Karma
Reply

sk314
Builder
‎11-10-2016 04:46 PM

When you click on Settings->Add Data->Monitor Data->Files & Directories, are you making sure the "Continuously Monitor" setting is selected instead of "Index Once"?

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...