How to properly disable a WatchedFile using the Un...

thabben · ‎08-02-2017

On Solaris 10/11 - Our $SPLUNK_HOME/var/log/splunk/splunkd.log file has many of the following messages, 1 per second every minute.

08-02-2017 18:04:06.787 -0500 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/etc/dfs/sharetab'.

I have tried various configs with the $SPLUNK_HOME/etc/system/local/inputs.conf [blacklist:///etc/dfs/] and [monitor://] with disable = true, but nothing works.
Thanks.

micahkemp · ‎01-12-2018

You can determine which monitor stanza is responsible for this by examining the output of:

splunk list monitor

After which you can work to tune your blacklist/whitelist to try to prevent it from being indexed.

morgan03 · ‎01-11-2018

Do you install unix app?

I get same information

01-11-2018 16:36:05.204 +0800 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/etc/dfs/sharetab'.
01-11-2018 16:36:06.266 +0800 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/etc/dfs/sharetab'.

I found the app inputs.conf

[monitor:///etc]
_whitelist=(.conf|.cfg|config$|.ini|.init|.cf|.cnf|shrc$|^ifcfg|.profile|.rc|.rules|.tab|tab$|.login|policy$)
blacklist = etc/dfs/*
index=os
disabled = 0

The message won't be happened.

It's useful for me. maybe you can try it.

How to properly disable a WatchedFile using the Universal Forwarder?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life