新 CSV 文件未与索引 Splunk 同步
New CSV file not syncing with index Splunk
我在使用 Splunk 时遇到问题,就像有一个索引将某个 csv 文件的文件夹作为数据输入。当我在该文件夹中为该索引添加另一个 CSV 文件时,新的源数据未显示在索引中。
我已经多次重启 Splunk 并删除索引并重新创建,但问题仍然存在。
我还没有为该文件夹添加任何配置。
我是否需要为该文件夹添加任何 conf 如果是,请帮助我,我是 splunk 的新手。
还有一件事如果我在设置>文件夹的数据输入中检查文件数,它显示正确,但是当我搜索任何带有映射索引的查询时,就会出现一些问题,并按预期显示更少的文件。
默认 Inputs.conf 文件是:
[default]
index = default
_rcvbuf = 1572864
host = $decideOnStartup
[blacklist:$SPLUNK_HOME/etc/auth]
[blacklist:$SPLUNK_HOME/etc/passwd]
[monitor://$SPLUNK_HOME/var/log/splunk]
index = _internal
[monitor://$SPLUNK_HOME/var/log/watchdog/watchdog.log*]
index = _internal
[monitor://$SPLUNK_HOME/var/log/splunk/license_usage_summary.log]
index = _telemetry
[monitor://$SPLUNK_HOME/var/log/splunk/splunk_instrumentation_cloud.log*]
index = _telemetry
sourcetype = splunk_cloud_telemetry
[monitor://$SPLUNK_HOME/etc/splunk.version]
_TCP_ROUTING = *
index = _internal
sourcetype=splunk_version
[batch://$SPLUNK_HOME/var/run/splunk/search_telemetry/*search_telemetry.json]
move_policy = sinkhole
index = _introspection
sourcetype = search_telemetry
crcSalt = <SOURCE>
log_on_completion = 0
[batch://$SPLUNK_HOME/var/spool/splunk]
move_policy = sinkhole
crcSalt = <SOURCE>
[batch://$SPLUNK_HOME/var/spool/splunk/...stash_new]
queue = stashparsing
sourcetype = stash_new
move_policy = sinkhole
crcSalt = <SOURCE>
[fschange:$SPLUNK_HOME/etc]
#poll every 10 minutes
pollPeriod = 600
#generate audit events into the audit index, instead of fschange events
signedaudit=true
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100
[udp]
connection_host=ip
[tcp]
acceptFrom=*
connection_host=dns
[splunktcp]
route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:pars$
acceptFrom=*
connection_host=ip
[script]
interval = 60.0
start_by_shell = true
[SSL]
# SSL settings
# The following provides modern TLS configuration that guarantees forward-
# secrecy and efficiency. This configuration drops support for old Splunk
# versions (Splunk 5.x and earlier).
# To add support for Splunk 5.x set sslVersions to tls and add this to the
# end of cipherSuite:
# DHE-RSA-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:AES128-SHA
# and this, in case Diffie Hellman is not configured:
# AES256-SHA:AES128-SHA
sslVersions = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA$
ecdhCurves = prime256v1, secp384r1, secp521r1
allowSslRenegotiation = true
sslQuietShutdown = false
您需要创建一个指向 CSV 文件所在位置的新 monitor 节。例如,
[monitior:///home/user/data/myfile.csv]
index= csv_data
在某些情况下(例如,单个 Splunk 实例),您可以通过 Web GUI 添加它,或者您可能需要修改文件。
参考https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/Monitorfilesanddirectorieswithinputs.conf and https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Inputsconf
最好不要修改默认的 inputs.conf 文件。相反,您应该在 /opt/splunk/etc/system/local/inputs.conf 处创建一个文件并在其中包含 monitor 节。
我在使用 Splunk 时遇到问题,就像有一个索引将某个 csv 文件的文件夹作为数据输入。当我在该文件夹中为该索引添加另一个 CSV 文件时,新的源数据未显示在索引中。 我已经多次重启 Splunk 并删除索引并重新创建,但问题仍然存在。
我还没有为该文件夹添加任何配置。
我是否需要为该文件夹添加任何 conf 如果是,请帮助我,我是 splunk 的新手。
还有一件事如果我在设置>文件夹的数据输入中检查文件数,它显示正确,但是当我搜索任何带有映射索引的查询时,就会出现一些问题,并按预期显示更少的文件。
默认 Inputs.conf 文件是:
[default]
index = default
_rcvbuf = 1572864
host = $decideOnStartup
[blacklist:$SPLUNK_HOME/etc/auth]
[blacklist:$SPLUNK_HOME/etc/passwd]
[monitor://$SPLUNK_HOME/var/log/splunk]
index = _internal
[monitor://$SPLUNK_HOME/var/log/watchdog/watchdog.log*]
index = _internal
[monitor://$SPLUNK_HOME/var/log/splunk/license_usage_summary.log]
index = _telemetry
[monitor://$SPLUNK_HOME/var/log/splunk/splunk_instrumentation_cloud.log*]
index = _telemetry
sourcetype = splunk_cloud_telemetry
[monitor://$SPLUNK_HOME/etc/splunk.version]
_TCP_ROUTING = *
index = _internal
sourcetype=splunk_version
[batch://$SPLUNK_HOME/var/run/splunk/search_telemetry/*search_telemetry.json]
move_policy = sinkhole
index = _introspection
sourcetype = search_telemetry
crcSalt = <SOURCE>
log_on_completion = 0
[batch://$SPLUNK_HOME/var/spool/splunk]
move_policy = sinkhole
crcSalt = <SOURCE>
[batch://$SPLUNK_HOME/var/spool/splunk/...stash_new]
queue = stashparsing
sourcetype = stash_new
move_policy = sinkhole
crcSalt = <SOURCE>
[fschange:$SPLUNK_HOME/etc]
#poll every 10 minutes
pollPeriod = 600
#generate audit events into the audit index, instead of fschange events
signedaudit=true
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100
[udp]
connection_host=ip
[tcp]
acceptFrom=*
connection_host=dns
[splunktcp]
route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:pars$
acceptFrom=*
connection_host=ip
[script]
interval = 60.0
start_by_shell = true
[SSL]
# SSL settings
# The following provides modern TLS configuration that guarantees forward-
# secrecy and efficiency. This configuration drops support for old Splunk
# versions (Splunk 5.x and earlier).
# To add support for Splunk 5.x set sslVersions to tls and add this to the
# end of cipherSuite:
# DHE-RSA-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:AES128-SHA
# and this, in case Diffie Hellman is not configured:
# AES256-SHA:AES128-SHA
sslVersions = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA$
ecdhCurves = prime256v1, secp384r1, secp521r1
allowSslRenegotiation = true
sslQuietShutdown = false
您需要创建一个指向 CSV 文件所在位置的新 monitor 节。例如,
[monitior:///home/user/data/myfile.csv]
index= csv_data
在某些情况下(例如,单个 Splunk 实例),您可以通过 Web GUI 添加它,或者您可能需要修改文件。
参考https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/Monitorfilesanddirectorieswithinputs.conf and https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Inputsconf
最好不要修改默认的 inputs.conf 文件。相反,您应该在 /opt/splunk/etc/system/local/inputs.conf 处创建一个文件并在其中包含 monitor 节。