Getting Data In

Rolled over issue with same header

jitsinha
Path Finder

I have couple of files in a directory as below

Out.log
Out_15.05.20_14.32.33.log
Out_15.05.21_07.06.45.log
Out_15.05.21_10.00.27.log

All of this files are having same header hence Splunk is ignoring all new files since rolled over files are having same header and same size.

Now I am planning is to use *initCrcLength * property and set it as 1000 Splunk will ignore the header part.

One issue with this is that Splunk will re-index all the files.

Can anyone please suggest how to ignore the older files??/

Tags (2)
0 Karma

miteshvohra
Contributor

Here is the doc link that explains how Splunk handles log file rotation.

On the other hand, you can also add ignoreOlderThan = stanza in inputs.conf file, with value mentioned as {number}{unit} (without brackets). For example, "7d" indicates one week. Valid units are "d" (days), "h" (hours), "m" (minutes), and "s" (seconds).

Let us know what worked for you so others visiting this post can learn/re-use.

Regards, Mitesh.

0 Karma

jitsinha
Path Finder

Thanks for your response. The system in place roll over files based on date/size, whichever is earlier.
Hence ignoreOlderThan will not work properly.

Sorry I might not be clear earlier.

The issues I am referring to is more related to header being same across all the files.

So for an example say I got one file A.log for today.

In this situation if I start to monitor the directory containing the file, Splunk will only pick A.log file and will index it.

But tomorrow when a new file will be created,today's file will be renamed to A.20150525.log but since the new file and old file are having same header the new file will be ignored and for that matter all the files for all the consecutive days.

Now the indexing issue has been fixed by setting initCrcLength = 1000, but Splunk has reindexed all the older files again.

How to stop this re-indexing??

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...