On Solaris 10/11 - Our $SPLUNK_HOME/var/log/splunk/splunkd.log file has many of the following messages, 1 per second every minute.
08-02-2017 18:04:06.787 -0500 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/etc/dfs/sharetab'.
I have tried various configs with the $SPLUNK_HOME/etc/system/local/inputs.conf [blacklist:///etc/dfs/] and [monitor://] with disable = true, but nothing works.
Thanks.
You can determine which monitor
stanza is responsible for this by examining the output of:
splunk list monitor
After which you can work to tune your blacklist/whitelist to try to prevent it from being indexed.
Do you install unix app?
I get same information
01-11-2018 16:36:05.204 +0800 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/etc/dfs/sharetab'.
01-11-2018 16:36:06.266 +0800 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/etc/dfs/sharetab'.
I found the app inputs.conf
[monitor:///etc]
_whitelist=(.conf|.cfg|config$|.ini|.init|.cf|.cnf|shrc$|^ifcfg|.profile|.rc|.rules|.tab|tab$|.login|policy$)
blacklist = etc/dfs/*
index=os
disabled = 0
The message won't be happened.
It's useful for me. maybe you can try it.