Getting Data In

Why is my universal forwarder reporting "INFO WatchedFile - Resetting fd to re-extract header"?

a212830
Champion

One of my servers running a universal forwarder is spitting out this message quite frequently:

02-04-2016 16:48:49.607 -0500 INFO  WatchedFile - Resetting fd to re-extract header.

What is this telling me? Each file does have a header, which we ignore via the FIELD_HEADER_REGEX parameter. Is it telling me that the header is being extracted? (These files roll over quite a bit).

0 Karma

sloshburch
Splunk Employee
Splunk Employee

I imagine its just letting you know the file is being opened from the start again. Might be resulting from the crcSalt but I honestly don't know - just guessing.

Also worth noting that its an INFO log entry so its not necessarily telling you of a problem. Is there a larger issue you are trying to address and believe this to be a symptom of?

0 Karma

reansh
Observer

Headers from a csv files are also getting ingested while props and transforms are defined to discard the headers as per following configs:
[sourcetype]
REGEX = Username
DEST_KEY = queue
FORMAT = nullQueue

Username is my header.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...