Dear all,
quick question if I may. I am having a directory full of CSV files that I'm trying to index on a linux splunk forwarder as follows:
[root@localhost]# /opt/splunkforwarder/bin/splunk cmd btool inputs list monitor
[monitor:///home/logfiles]
_rcvbuf = 1572864
crcSalt = < SOURCE >
disabled = false
host = myhost.lan
index = _internal
sourcetype = my_sourcetype
Stanza gets parsed as per splunkd.log, but I don't see anything indexed. There are maybe 20 csv files in the directory, some of them with matching md5sums of first 256 bytes, so I hoped crcSalt would help me out here, alas, no dice. Yes, there are no spaces around "SOURCE",
I tried to reset the fishbucket for a random file via btprobe -d --reset ...., didn't change a whole lot. No error (or any) messages in my splunkd.log, it's perfectly content not indexing anything.
I was thinking about this initcrclength parameter, but I found out it's only splunk 5.0 compatible.
Could any of you splunk wise ladies/gentlemen offer a piece of advice?
Thanks!
Try changing the index from _internal
to main
. The logs are probably getting lost in the internal indexes. _internal
should stay reserved for Splunk Data Only. Your crcSalt is correct, because it adds the Filename and path to the salt, so each salt is (FullPath+ First256Bytes). Once you correct the index, try searching for it again.
Try changing the index from _internal
to main
. The logs are probably getting lost in the internal indexes. _internal
should stay reserved for Splunk Data Only. Your crcSalt is correct, because it adds the Filename and path to the salt, so each salt is (FullPath+ First256Bytes). Once you correct the index, try searching for it again.
That did it, thanks a lot!