For every file, splunk creates a CRC (cyclic redundancy check) handler, which is based on first few line of the file. This helps prevent re-indexing of same file (even though its renamed, especially in case of files which are getting rolled over). It seems that the files being ignored by Splunk, in your case ,have similar first few lines (characters) causing Splunk to ignore them.
To make Splunk read all the files in a directory regardless of similar files, you need to add "crcSalt =
[monitor://C:\MyDirectory\*.log]
disabled = false
followTail = 0
sourcetype = myindex
crcSalt = <SOURCE>
Beware that, with this setting Splunk will index all the files, even though they have been renamed, rolled over.
For every file, splunk creates a CRC (cyclic redundancy check) handler, which is based on first few line of the file. This helps prevent re-indexing of same file (even though its renamed, especially in case of files which are getting rolled over). It seems that the files being ignored by Splunk, in your case ,have similar first few lines (characters) causing Splunk to ignore them.
To make Splunk read all the files in a directory regardless of similar files, you need to add "crcSalt =
[monitor://C:\MyDirectory\*.log]
disabled = false
followTail = 0
sourcetype = myindex
crcSalt = <SOURCE>
Beware that, with this setting Splunk will index all the files, even though they have been renamed, rolled over.
It has to be written as it is (string literal). And don't forget to either restart splunk instance or refresh configuration using "http://splunk-server:port/en-US/debug/refresh"
thanks somesoni2,
just to confirm that the