Splunk error message on splunkd.log

OMohi · ‎07-13-2015

I am getting the following error message from inputs directing from splunk forwarder instance to indexer:

13:01:22.582 -0400 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/xfer/XXXlogs/retail_sales_dm_ci_comm.rows'.
07-13-2015 13:01:22.636 -0400 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/xfer/XXX/logs/retail_sales_dm_ci_comm_sql.out.Mon'.
07-13-2015 13:01:25.613 -0400 INFO WatchedFile - Checksum for seekptr didn't match, will re-read entire file='/xfer/XXX/logs/IFM_FACT_wf_edw_mbr_alloc_sum_skey_coid_xref.out'

This is my inputs.conf configuration:

[monitor:///xfer/XXX/logs/*]
index = <index_name>
sourcetype = <sourcetype>
crcSalt = <SOURCE>

I am unable to see latest events as a result.

Please provide feedback on how to overcome this issue.

Thanks,

Mohammed Mohiuddin

martin_mueller · ‎07-13-2015

These are no error messages, they're informational messages telling you that Splunk is re-reading files after they've been replaced with different content.

prakash007 · ‎05-06-2016

martin,
I do see lot of these messages in splunkd.logs, is splunk re-indexing the data or can i ignore these messages...?

     File too small to check seekcrc, probably truncated.  Will re-read entire file=...filepath
     File too small to check seekcrc, probably truncated.  Will re-read entire file=...filepath
    INFO  WatchedFile - Logfile truncated while open, original pathname file=...filepath. , will begin reading from start.
    INFO  WatchedFile - Logfile truncated while open, original pathname file=...filepath., will begin reading from start.


input.conf on UFs................

 [monitor:///opt/app/ws/server/*/log/server.log]
 sourcetype=log4j
 crcSalt = <source>
 index=testenv

martin_mueller · ‎05-08-2016

It says a watched file was truncated and that Splunk will begin reading that file from the new start.

Most likely reason: Log rotation.

prakash007 · ‎05-08-2016

These two are different messages on different UFs..

File too small to check seekcrc, probably truncated.  Will re-read entire file=...filepath

INFO  WatchedFile - Logfile truncated while open, original pathname file=...filepath. , will begin reading from start.

For the monitor path in the stanza, the log rotates and gets saved as server.log.05082016 every day @midnight. I don't think splunk reads that rolled over file as we didn't mention the path in the monitor stanza, isn't it so...?

[monitor:///opt/app/ws/server/*/log/server.log]

martin_mueller · ‎05-10-2016

If you tell Splunk to read server.log, Splunk's not going to read server.log.05082016.

You should tell Splunk to read that though, in case an event was written and rotated out before Splunk caught it.

prakash007 · ‎05-12-2016

If i tell splunk to read both server.log in monitor stanza([monitor:///opt/app/ws/server/*/log/server.log])
and also archived/backed up server.log.05082016..does this lead to double indexing of the events..?

Splunk error message on splunkd.log

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!