Getting Data In

Splunk does not continously indexing the file.

harshal_chakran
Builder

HI,

I have a requirement in which, a file is continuously dumped with data. Even though I have selected continuously monitored option, the data from the file does not get indexed after few changes down the timeline in the file. The file size is hardly 2-3 MB.

Please Help...!!!

Tags (3)
0 Karma

kristian_kolb
Ultra Champion

You could always look for any errors or warnings in the splunkd.log (available through the following search index=_internal sourcetype=splunkd and you can also query the REST endpoint on the splunk instance where the file is being read (indexer or forwarder);

https://splunk_host:8089/services/admin/inputstatus/TailingProcessor:FileStatus

You will need to autenticate with the proper splunk username and password.

Scrolling down the list of files you shall find the file you're looking for, and hopefully see some indication of the error.

If it says '100% read', a/o 'finished' - it means that the file was successfully read. Perhaps your timestamps are parsed incorrectly, and that could be the reason why they are not returned in the search.

As I already said, provide more info - e.g. some sample data and the relevant sections of the config files.

/K

0 Karma

harshal_chakran
Builder

I am getting the following error message in Splunkd.log file:

1-21-2013 14:02:49.515 +0530 ERROR TailingProcessor - File will not be read, is too small to match seekptr checksum (file=C:\Users\10603218\Desktop\testing.txt). Last time we saw this initcrc, filename was different. You may wish to use a CRC salt on this source

At start, the file is empty and after few minutes the data starts getting dumped into the file.

0 Karma

harshal_chakran
Builder

I have a text file at a specific location, which is dumped with data through a telecom tool automatically. If I manually copy the data in the text file, Splunk keeps on indexing it. But the same data when it is put in the text file through the automated tool, the file doesn't get indexed and on some tries it got indexed about one-fourth of actual file.

Can you please help me with this issue.

0 Karma

kristian_kolb
Ultra Champion

I think you need to provide more details, e.g. your config files, some sample events, any error messages in the splunkd.log etc.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...