Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is my universal forwarder reporting "INFO WatchedFile - Resetting fd to re-extract header"?

a212830
Champion
‎02-04-2016 02:28 PM

One of my servers running a universal forwarder is spitting out this message quite frequently:

02-04-2016 16:48:49.607 -0500 INFO  WatchedFile - Resetting fd to re-extract header.

What is this telling me? Each file does have a header, which we ignore via the FIELD_HEADER_REGEX parameter. Is it telling me that the header is being extracted? (These files roll over quite a bit).

0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎02-04-2016 03:21 PM

I imagine its just letting you know the file is being opened from the start again. Might be resulting from the crcSalt but I honestly don't know - just guessing.

Also worth noting that its an INFO log entry so its not necessarily telling you of a problem. Is there a larger issue you are trying to address and believe this to be a symptom of?

0 Karma
Reply

reansh
Observer
‎02-08-2022 07:16 AM

Headers from a csv files are also getting ingested while props and transforms are defined to discard the headers as per following configs:
[sourcetype]
REGEX = Username
DEST_KEY = queue
FORMAT = nullQueue

Username is my header.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...