ii) Apply the crcSalt attribute when configuring the file in inputs. The data that is originally there will not be reindexed and it will not change to obey the new rules. Inputs Conf Splunkall your Splunk instances to see if you have. but in this time I think its worthless because the crcSalt is the same of the whole. I have an XML log file that is constantly being written into (about 100 entry per minute) however, when I search for the data in Splunk I am only seeing sporadic results of the data in Splunk where I see results for 10 minutes then nothing for the next 20 and so on and so forth. replacing nf (and restarting the server) will only make the new data that comes in obey the rules in the new nf. There is an nf in SPLUNKHOME/etc/apps/SA-ITOA/default. ignoringat installation /Ignoring olddata at installation crcSalt. Change the listed directory to the SPLUNKHOME/etc/system/local directory. Am having trouble with ingesting my data into Splunk consistently. You can find the working version of nf below: monitor://C:\analysis\sysmon. Unfortunately, as I mentioned, I dont have the option of editing the nf file - I am looking for a way to set the crcSalt option via the Command-Line Interface (CLI) - the moral equivalent of './splunk add monitor set crcSalt '. index time attributes, nf / Indextime attributes inputcsv command / Using CSV. Hi, Im struggling with an issue involving my old nemesis, nf rules :-).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |