Solved: Re: Send data from file even if there is no change

shreyasathavale · ‎02-24-2020

I have a file in a directory, whose timestamp is changed everyday using "touch" command. The contents might change after 3 months but not daily.
I need to monitor this file in splunk and read the contents even if they are same.

manjunathmeti · ‎02-24-2020

In props.conf set CHECK_METHOD = modtime for the source to check the modification time of the file.

props.conf

 [source::<file_path>]
 CHECK_METHOD = modtime

View solution in original post

manjunathmeti · ‎02-24-2020

In props.conf set CHECK_METHOD = modtime for the source to check the modification time of the file.

props.conf

 [source::<file_path>]
 CHECK_METHOD = modtime

shreyasathavale · ‎02-24-2020

I tried this but somehow it is not working

manjunathmeti · ‎02-24-2020

can you post inputs.conf and props.conf for this source?

shreyasathavale · ‎02-24-2020

Hi, these are the conf files
Inputs.conf is:
[monitor://D:\splunk\abc.csv]
disabled = false
index = main
sourcetype = abccsv

Props.conf:
[labccsv]
BREAK_ONLY_BEFORE = \d\d?:\d\d:\d\d
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Application
description = Output produced by any Java 2 Enterprise Edition (J2EE) application server using log4j
disabled = false
maxDist = 75
pulldown_type = true
CHECK_METHOD = modtime

manjunathmeti · ‎02-24-2020

CHECK_METHOD = modtime must be set for [source:] stanza only not sourcetype.

Add this to props.conf.

[source::D:\splunk\abc.csv]
CHECK_METHOD = modtime

shreyasathavale · ‎02-24-2020

That did the trick !!! Thanks!!

Send data from file even if there is no change

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users