Here is the details.
Server 1:
path=/appl/abc/log/access.yyyyMMdd.HHmmss.log
Which is ok for Server 1.
Server 2:
path=/appl/def/log/access.yyyyMMdd.HHmmss.log
I extracted Server 2 splunkd.log and the message as below.
"08-30-2012 10:28:11.478 +0800 ERROR TailingProcessor - File will not be read, seekptr checksum did not match (file=/appl/def/log/access.yyyyMMdd.HHmmss.log). Last time we saw this initcrc, filename was different. You may wish to use a CRC salt on this source. Consult the documentation or file a support case online at http://www.splunk.com/page/submit_issue for more info."
For those server inputs.conf setting, which are same, just only the path location is different. Also, i indexed to different index as well with using different app.
Can anyone help to fix this problem?
Thanks
Kelvin
Hi Ismkelvin
the message says it all, the file was ignored because of a CRC match. If you want to index this file you have to add the crcSalt =
read more about it here and follow the docs; SOURCE must be in angle brackets 😉
but also be warned, that including crcSalt can lead to double indexing of files.
cheers,
MuS