**My input.conf file:**
[monitor:///var/log/openvpn/*hostname*_vpnStatus.log]
disabled = 0
crcSalt = SOURCE
index = iss-nipa-clients
sourcetype = nipa:clients:status
**My props.conf file:**
[nipa:clients:status]
[source::/var/log/openvpn/*hostname*_vpnStatus.log]
CHECK_METHOD = modtime
DATETIME_CONFIG = NONE
**Extract from the forwarder splunkd.log:**
09-13-2017 11:55:02.104 +0200 INFO WatchedFile - Modtime is newer than stored, will reread file='/var/log/openvpn/*hostname*_vpnStatus.log'.
09-13-2017 11:55:02.110 +0200 INFO WatchedFile - Will begin reading at offset=0 for file='/var/log/openvpn/*hostname*_vpnStatus.log'.
**The file to be indexed:**
File created at: 2017-09-13_11:59:01
UNDEF,ip.ip.ip.ip:port,84,188,Wed Sep 13 11:58:16 2017,Tunnel_a
c1115-ip.ip.ip.ip:port,19051077,18985566,Thu Aug 31 14:54:56 2017,Tunnel_a
c1350,ip.ip.ip.ip:port,161253,160644,Wed Sep 13 09:24:57 2017,Tunnel_a
c1255-1,ip.ip.ip.ip:port,176571,172050,Wed Sep 13 09:24:57 2017,Tunnel_a
c1783-1,ip.ip.ip.ip:port,170017,175415,Wed Sep 13 09:24:59 2017,Tunnel_d
c1215-1,ip.ip.ip.ip:port,167136,167643,Wed Sep 13 09:24:56 2017,Tunnel_d
File created at: 2017-09-13_11:59:01
This file is created every minute and according to **splunkd.log** it is also read every minute, but not indexed **only periodicaly**.
The created time stamp on the header and trailer is changing every minute as the creatation time of the file.
Why is splunk not indexing this file every minute!!!!????
↧