![]() The crcSalt attribute, when set to, ensures that each file has a unique. ii) Apply the crcSalt attribute when configuring the file in inputs. scp the file to a different directory, then mv it to the batch directory. Hello Cusello, Thank you for quick response, am using below config as suggested by you, and its indexing duplicate files in splunk. Inputs Conf SplunkInstead of configuring inputs, outputs and lookups in one. conf in the SPLUNKHOME/etc/system/local/ directory. Write a script to remove the files from the directory after 24 hours or 7 days or whatever makes sense. This means that Splunk will ignored whatever is already indexed if the nf file is changed. Use monitor:// instead of batch in your nf. Looks like Splunk re-indexed all files even though there were files already indexed with the same SOURCE value. Once I added the configuration all files were indexed. Or alternatively, can you select different destination directories or append todays name to the file name in order to make it work with crcSaltI remembered that day I added the crcSalt configuration because I wasn't able to index all the files because of their similarity. The output showed that those files were re-indexed the next day causing the problem. Also if I disable crcSalt then new files that are added to the directory will not be indexed. crcSalt makes sure that all files with different source(location) are indexed into Splunk. ![]() I included crcSalt because all the files are very similar and if Splunk thinks they are the same they will not be indexed in Splunk. | stats dc(splunk_server) count by source output: source: dc(splunk_server) countĪll dc(splunk_server) values are 1 and I haven't made any change in any of those nf files. Hi, Im struggling with an issue involving my old nemesis, nf rules :-). # Replace 'YourDeploymentServerHostname' with the ip-address where your deployment server is running.įile at /SplunkForwarder/default: įorwardedindex.2.whitelist = (_audit|_introspection)įile at /SplunkLightForwarder/default: įorwardedindex.2.whitelist = (_audit|_internal|_introspection) etc/apps/SplunkLightForwarder/default/nf etc/modules/distributedDeployment/classes/deployable/nf
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |