I have a collection of log files (InDesign Server logs) that I'm indexing with the following inputs.conf settings:
[monitor:///path/to/files/*.log]
disabled = 0
crcSalt =
Everything seems to be OK, but then after some interval, I start to see these messages in splunkd.log:
03-16-2012 15:42:08.152 -0400 INFO WatchedFile - Checksum for seekptr didn't match, will re-read entire file='/path/to/files/indesignserver.log'
It's causing many duplicate entries in my index as the same files keep getting re-indexed. Does anybody have any thoughts on why the seekptr checksum would fail?
seems like others also having a reindex issue, see http://splunk-base.splunk.com/answers/43103/splunk-indexing-the-same-files-again-and-again-and-again...
What is this ... 'grep'?
Not the same issue. I don't have those messages for the files in question (only for metrics.log).
! [siteadm@sun-ops1] grep "Checksum for seekptr didn't match" *log
splunkd.log:02-10-2012 04:27:19.875 +1100 INFO WatchedFile - Checksum for seekptr didn't match, will re-read entire file='/opt/splunkforwarder/var/log/splunk/metrics.log'.
! [siteadm@sun-ops1] grep "Checksum for seekptr didn't match" *log | grep -v metrics.log
! [siteadm@sun-ops1]