Different path from Splunk Universal Forwarder wit...

lsmkelvin · ‎08-30-2012

Here is the details.

Server 1:
path=/appl/abc/log/access.yyyyMMdd.HHmmss.log
Which is ok for Server 1.

Server 2:
path=/appl/def/log/access.yyyyMMdd.HHmmss.log
I extracted Server 2 splunkd.log and the message as below.
"08-30-2012 10:28:11.478 +0800 ERROR TailingProcessor - File will not be read, seekptr checksum did not match (file=/appl/def/log/access.yyyyMMdd.HHmmss.log). Last time we saw this initcrc, filename was different. You may wish to use a CRC salt on this source. Consult the documentation or file a support case online at http://www.splunk.com/page/submit_issue for more info."

For those server inputs.conf setting, which are same, just only the path location is different. Also, i indexed to different index as well with using different app.

Can anyone help to fix this problem?

Thanks
Kelvin

MuS · ‎08-30-2012

Hi Ismkelvin

the message says it all, the file was ignored because of a CRC match. If you want to index this file you have to add the crcSalt = to your inputs.conf. This will tell Splunk to include the path name in the checksum.

read more about it here and follow the docs; SOURCE must be in angle brackets 😉

but also be warned, that including crcSalt can lead to double indexing of files.

cheers,

MuS

Different path from Splunk Universal Forwarder with same log file name, however, cannot recognize one of the path's log file

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms