Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Interpreting errors after deleting Splunk log files

aafogles
Explorer
‎05-22-2014 08:26 AM

I'm reinstalling some UFs in my VM network. I'm using a suggestion posted in http://answers.splunk.com/answers/86950/upgrading-the-universal-forwarder-from-32bit-to-64bit

1 - backup the $SPLUNK_HOME/etc/ folder 2 - backup the $SPLUNK_HOME/var/ folder 3 - remove the old 32bit installation 4 - install the new one (same version but 64bit) 5 - copy back the etc folder to replace 6 - copy back the var folder to replace 7 - start splunk

Due to size restrictions of my /opt directory in my VMs, I'd like to wipe the .../log/splunk directory (most are over 100MB in size) before backing up the .../var directory. However, when the change is complete, I get a batch off errors like the one below. I see that my log files are still being written to, but I'm having a hard time testing what's going on in terms of indexing the sourcetype 'splunkd'. Is the error below a one time thing or will the UFs no longer tail any log files (i.e., the new ones)? If not, will they reindex on every restart or or simply not index at all? Would there be a way to correct it, via Splunk command, conf file, or refresh? Thanks!

05-21-2014 16:42:11.979 -0400 ERROR TailingProcessor - Invalid value ' ' for parameter ‘detect_trailing nulls’ for source ‘/opt/splunkforwarder/var/log/splunk/metrics.log’, sourcetype ‘splunkd’. Assuming default of ‘false’.

0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎09-04-2014 09:49 AM

This error means that the system cannot find a configuration value for this setting for those files. Most likely something irregular happened regarding the default conf files as they are perceived in memory, and wiping the log dir forced splunk to re-consider the splunk-specific logfiles. When tailing starts working on a file, it computes the configurations to use. In this case, an expected setting was not available or was set to blank, and you got a error.

One possibility is that you upgraded from a version that does not have detect_trailing_nulls support, to a version that does, but reinstated the conf files from the older version.

This message is emitted as an ERROR because it indicates that the conf files being used are not in a valid state. However, this specific setting being missing will not affect behavior, as the message states, because it is assuming the default of false and proceeding.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...