After adding another file to a monitored directory...

adityaanand · ‎05-26-2015

Hi,

I am trying to monitor a directory called RSD and it contains a file RSDReport.xml.
When i start searching it shows 500 events and i made a simple report.
After some time, i added another file RSDReport1.xml in the RSD directory, but there are no changes in the search result.

Now my questions are:
1) should the report be automatically update without any event generated by me?
2) Should i run the search again?
3) Will I have to restart the splunk service?

One thing i would like to mention here is that both files don't contain the same initial 256 bytes
Again, when i added initCrcLength = 2000 in inputs.conf, restarted the splunk service, and ran the search again, it gave the expected output.
I am thinking that when i am monitoring a directory, then changes should be reflected automatically. We need not bother about to restart splunk service and re-run the search.

Please guide me about directory monitoring. I read documentation and i have a little bit idea about it.

Thanks,
Aditya

woodcock · ‎05-26-2015

I think you have a TZ issue with your timestamping and your "nowish" events are showing up "in the future". To test this, the next time you forward a file, run your search for all time which is the only way to see events mis-timestamped into the future. There is also a log that shows this. You can confirm this sort of a problem with this search:

... | eval lagSeconds = _indextime - _time | stats avg(lagSeconds) by sourcetype,host,index

If the lagTime is negative, then you definitely have this problem.

After adding another file to a monitored directory, why is there no change in the search results for a report?

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability