Refine your search:

Possible to add a complete file (oneshot/sinkhole) AND followTail

0

I'd like to start monitoring a file that has been around for a while. I need to get all the older data in the file AND start tailing it (or inversely start tailing it and then realize I need the older data, too). What is the easiest way to do this?

Here is the inputs.conf

[monitor:///opt/scripts/sendShipConf/sendShipConf_cron.log]
disabled = false
followTail = 1
sourcetype = sendshipconf

I tried to oneshot it but the older info isn't there:

/opt/splunk/bin/splunk add oneshot /opt/scripts/sendShipConf/sendShipConf_cron.log

I could use a sinkhole but the sinkhole is defined globally (which means that I can't [or rather, don't want to] apply specific sourcetypes to it). This is from my "common" (global) app pushed to each forwarder:

[batch:///opt/splunk/var/spool/splunk]
move_policy = sinkhole

asked 06 Dec '10, 20:15

nocostk's gravatar image

nocostk
2107
accept rate: 71%

edited 06 Dec '10, 20:20

2 Answers:
oldestnewestmost voted
4

I think you may be making this a bit over-complicated, it sounds like you just need to add a regular monitor input, that will capture all of the old data and any new incoming data going forward.

Or is there some detail that I'm missing here?

link

answered 06 Dec '10, 21:25

Mick's gravatar image

Mick ♦
4.0k1327
accept rate: 52%

Well, maybe so. Here's a scenario: A developer asks me to start indexing a log. I get that setup and Splunk is happily chugging away at it (followTail). Developer emails me later and asks "is this all the older data or just the new data? How can I get the older data, too?".

(07 Dec '10, 14:09) nocostk
0

I'd agree with Mick. Wouldn't nocostk just need to add a new data input, file, source: monitor file or directory, /path/to/file, make sure "follow tail" is de-selected.

link

answered 06 Dec '10, 21:47

mayler's gravatar image

mayler
917
accept rate: 0%

Right. I could just set followTail = 0, but for the sake of consistency across my environments I always just enable that value. I'd prefer to be able to add retroactive events on the fly.

(07 Dec '10, 14:12) nocostk

if you set it to 1, wouldn't it only index the new data? setting it to 0 would index the old data and new data. no?

(07 Dec '10, 22:16) mayler
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×42
×10

Asked: 06 Dec '10, 20:15

Seen: 780 times

Last updated: 06 Dec '10, 21:47

Related questions

help need with add oneshot CLI

add oneshot with host segment

Add custom field when doing oneshot?

How do you override "source" on a oneshot?

How long to wait after "splunk add oneshot" before doing searches?

Is there a way to get Splunk to do oneshot indexing sequentially?

oneshot POST message body

Oneshot and Inputs.conf

Invoke "oneshot" via remote CLI

Copyright © 2005-2012 Splunk, Inc. All rights reserved.