File Monitoring Issues:
Issue:
Log file monitored is enabled, but data is not getting indexed
Root cause:
Another file also has the first 256 characters same.
Note: If multiple files, have the first 256 same, then Splunk will consider only one file.
Solution:
Add “crcSalt=<text>“ under the respective stanza in inputs.conf & Restart the Splunk.
Filename: /opt/splunk/etc/apps/yourapp/local/inputs.conf
[monitor:///opt/data/test.log]
disabled=false
index=softmania_idx_3
sourcetype=log_generator
crcSalt=sometext