How to manage indexing rolling log files without d...

ericrobinson · ‎03-15-2011

We are testing in a high throughput environment capturing logs that grow to 251MB in ~ 4-6 minutes at which time the logs are rolled to a dated log file.

e.g. test.log -> test.log.20110315042946

The problems is that Splunk thinks we have already indexed one or more of the rolled log files, and results in us missing data from the performance run. I have read about using the crcSalt but to avoid using that on rotating log files.

03-15-2011 09:38:04.028 ERROR TailingProcessor - Ignoring path due to: File will not be read, seekptr checksum did not match (file=/opt/perf/gett/log/test.log.20110315091120). Last time we saw this initcrc, filename was different. You may wish to use a CRC salt on this source. Consult the documentation or contact Splunk Support for more info.

Can someone suggest how this problem can be managed?

ericrobinson · ‎03-16-2011

Hi All.. Thanks for the help. We found that the rolling log file was also being renamed by another log archiving process.

What was happenning was the log would be rolled to test.log.1

Then, the archving process would rename it to test.log.20110316

We think that Splunk was seeing the log in the .1 format and when the file name changed to .2011*, the CRC had issues.

After changing our inputs.conf, we are not seeing the issue..

We were monitoring test.log* and now only monitor test.log and test.log.2011*

gkanapathy · ‎03-15-2011

Are the files simply renamed when they are rolled? What is the inputs.conf stanza that you are using to monitor the files?

netwrkr · ‎03-15-2011

Could you name the log file with the associated date / time value at the beginning rather than changing it afterwards?

How to manage indexing rolling log files without duplicating data in the Index

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!