ERROR ArchiveProcessor with zip files

johnsonlui · ‎04-16-2014

Hello all,

We have met this error when we try to indexing the archive files into Indexer

04-17-2014 14:01:02.292 +0800 ERROR ArchiveProcessor - Archive with path="/home/splunk/data/bom/moc/CT_STATISTIC_20140417140001.csv.zip" is being skipped since FileContentException error encountered during ArchiveCrcChecker processing. Exception details="Ran out of data while looking for end of header"

May anyone help us on that?

Thanks,
Johnson

woodcock · ‎12-17-2015

I would try a moderately high number (100?) for time_before_close to make sure that the file is done being created (zipped) before you start to gunzip it:

time_before_close = <integer>
* Modtime delta required before Splunk can close a file on EOF.
* Tells the system not to close files that have been updated in past <integer> seconds.
* Defaults to 3.

ohoppe · ‎02-17-2015

Have you been able to fix the described issue? I am currently facing the same, but it is not an option to extract the files as they are produced directly as gz due to lack of disk space.

Thanks
Oliver

woodcock · ‎05-29-2014

I am having the same problem and a I did figure out that if I modify the inputs.conf file to handle *.csv instead of *.csv.gz and then I gunzip the files, everything works. This means it is a problem with the gunzip process that Splunk is using on the forwarder. I will post a followup if I figure out what is really wrong and get it working but at least this might provide a workaround for you in the meantime.

ERROR ArchiveProcessor with zip files

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases