I am getting the following error message from inputs directing from splunk forwarder instance to indexer:
13:01:22.582 -0400 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/xfer/XXXlogs/retail_sales_dm_ci_comm.rows'.
07-13-2015 13:01:22.636 -0400 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/xfer/XXX/logs/retail_sales_dm_ci_comm_sql.out.Mon'.
07-13-2015 13:01:25.613 -0400 INFO WatchedFile - Checksum for seekptr didn't match, will re-read entire file='/xfer/XXX/logs/IFM_FACT_wf_edw_mbr_alloc_sum_skey_coid_xref.out'
This is my inputs.conf configuration:
[monitor:///xfer/XXX/logs/*]
index = <index_name>
sourcetype = <sourcetype>
crcSalt = <SOURCE>
I am unable to see latest events as a result.
Please provide feedback on how to overcome this issue.
Thanks,
Mohammed Mohiuddin
These are no error messages, they're informational messages telling you that Splunk is re-reading files after they've been replaced with different content.
martin,
I do see lot of these messages in splunkd.logs, is splunk re-indexing the data or can i ignore these messages...?
File too small to check seekcrc, probably truncated. Will re-read entire file=...filepath
File too small to check seekcrc, probably truncated. Will re-read entire file=...filepath
INFO WatchedFile - Logfile truncated while open, original pathname file=...filepath. , will begin reading from start.
INFO WatchedFile - Logfile truncated while open, original pathname file=...filepath., will begin reading from start.
input.conf on UFs................
[monitor:///opt/app/ws/server/*/log/server.log]
sourcetype=log4j
crcSalt = <source>
index=testenv
It says a watched file was truncated and that Splunk will begin reading that file from the new start.
Most likely reason: Log rotation.
These two are different messages on different UFs..
File too small to check seekcrc, probably truncated. Will re-read entire file=...filepath
INFO WatchedFile - Logfile truncated while open, original pathname file=...filepath. , will begin reading from start.
For the monitor path in the stanza, the log rotates and gets saved as server.log.05082016 every day @midnight. I don't think splunk reads that rolled over file as we didn't mention the path in the monitor stanza, isn't it so...?
[monitor:///opt/app/ws/server/*/log/server.log]
If you tell Splunk to read server.log, Splunk's not going to read server.log.05082016.
You should tell Splunk to read that though, in case an event was written and rotated out before Splunk caught it.
If i tell splunk to read both server.log in monitor stanza([monitor:///opt/app/ws/server/*/log/server.log])
and also archived/backed up server.log.05082016..does this lead to double indexing of the events..?