Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Duplicate IIS event logs | WatchedFile - Checksum for seekptr didn't match

Mike737
Engager
‎10-23-2013 09:25 PM

I'm receiving duplicate events from IIS logs being sent through the universal forwarder.

The forwardeds 'splunkd.log' is showing:

10-24-2013 14:45:02.882 +1100 INFO  WatchedFile - Checksum for seekptr didn't match, will re-read entire file='C:\path\to\iis\logs\u_ex131024.log'.
10-24-2013 14:45:02.882 +1100 INFO  WatchedFile - Will begin reading at offset=0 for file='C:\path\to\iis\logs\u_ex131024.log'.
10-24-2013 14:45:02.882 +1100 INFO  WatchedFile - Resetting fd  to re-extract header.

Splunk versions are:

  • Splunk 6.0.182037
  • Splunk universal forwarder 6.0.182611

inputs.conf

[monitor://C:\path\to\iis\logs\*.log]     
disabled = false    
sourcetype = iis

props.conf (as per universal forwarder defaults)

[iis]
pulldown_type = true 
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
INDEXED_EXTRACTIONS = w3c
detect_trailing_nulls = auto

Any ideas where I am going wrong?

Reply
1 Solution
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎12-17-2013 11:10 AM

This is a known issue with 6.0, SPL-77048. It is tentatively scheduled to be fixed in the forthcoming maintenance release, which will be post 6.0.1.

View solution in original post

Reply
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎12-17-2013 11:10 AM

This is a known issue with 6.0, SPL-77048. It is tentatively scheduled to be fixed in the forthcoming maintenance release, which will be post 6.0.1.

Reply
Solved! Jump to solution

ekost
Splunk Employee
Splunk Employee
‎03-05-2014 05:41 PM

FIxed in 6.0.2: http://docs.splunk.com/Documentation/Splunk/6.0.2/ReleaseNotes/6.0.2

0 Karma
Reply
Solved! Jump to solution

arvidn
New Member
‎11-11-2013 12:58 PM

On Indexer,.
Create or edit " $SPLUNK_HOME\etc\system\local\props.conf"
[iis]
TZ = GMT
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
CHECK_FOR_HEADER = True
REPORT - iis2 = iis2

Add more stanzas if nessesary (sample)
[u_ex-too_small]
rename = iis
TZ = GMT
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
CHECK_FOR_HEADER = True
REPORT - iis2 = iis2

[u_ex-2]
rename = iis
TZ = GMT
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
CHECK_FOR_HEADER = True
REPORT - iis2 = iis2


Create or edit " $SPLUNK_HOME\etc\system\local\transforms.conf"
[iis2]
DELIMS = " "
FIELDS = date, time(GMT), s-ip, cs-method, cs-uri-stem, cs-uri-query, s-port, cs-username, c-ip, cs(User-Agent), sc-status, sc-substatus, sc-win32-status, time-taken

I think this is default fields from IIS, add or remove if more or less fields are chosen.
Restart splunkd service

0 Karma
Reply
Solved! Jump to solution

mParticle
Explorer
‎11-13-2013 02:21 PM

Just one note - I added these to the two files you mentioned above, so that the IIS log comments get removed from the results:

To each stanza in the props.conf:
TRANSFORMS-removecomments = removecomments

To the transforms.conf:
[removecomments]
REGEX = ^#.*
DEST_KEY = queue
FORMAT = nullQueue

Thanks again!

0 Karma
Reply
Solved! Jump to solution

mParticle
Explorer
‎11-13-2013 02:13 PM

Excellent, thank you! It works perfectly. Hopefully Splunk fixes this in the next release...

Sorry for the delayed comment - the automated SplunkBase email went to my Junk folder and I just saw it...

0 Karma
Reply
Solved! Jump to solution

arvidn
New Member
‎11-08-2013 12:08 PM

We had the same problem with our IIS logs.
Think I have tried anything with UF version 6.0-82037 & 6.0-82611, upgrades and fresh install with different configurations (input.conf).
Uninstalled UF version 6 and reinstalled version 5.0.5-179365.
So far it has been stable, and no checksum error.

Splunk 6.0.182037 (indexer and heavy forwarder) &
Splunk Universal Forwarder 5.0.5-179365(again)

0 Karma
Reply
Solved! Jump to solution

arvidn
New Member
‎11-11-2013 01:05 PM

Hi mParticle. You will find my answer below. Couldn’t comment it here, too many characters…..

0 Karma
Reply
Solved! Jump to solution

mParticle
Explorer
‎11-11-2013 08:09 AM

Thanks arvidn! I tried this and so far the UF doesn't seem to get thrown in a loop, however the indexer doesn't parse the logs properly/automatically as it did with the 6.0 UF, so I am guessing some transforms are in order. Would you mind sharing what other conf file changes you have made on the UF/Indexer side to get this to work?

0 Karma
Reply
Solved! Jump to solution

mParticle
Explorer
‎11-04-2013 12:16 PM

+1... Splunk indexer and UF both on 6.0.182037

inputs.conf

[monitor://C:\inetpub\logs\LogFiles\W3SVC1]
sourcetype=iis
index=iis_logs

props config

[iis]
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
INDEXED_EXTRACTIONS = w3c
detect_trailing_nulls = auto

I also tried adding

initCrcLength = 1024
crcSalt = <SOURCE>

(crcSalt first by itself, then together with initCrcLength), neither is helping.

0 Karma
Reply
Solved! Jump to solution

mParticle
Explorer
‎11-07-2013 06:49 AM

Splunk guys, any suggestions? Anyone?

0 Karma
Reply
Solved! Jump to solution

Mike737
Engager
‎11-04-2013 05:32 PM

Glad to know someone else is facing the same issue

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...