- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Why is Splunk unable to index logs with very s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is Splunk unable to index logs with very small sizes [in KB] but is able to parse other files from that directory?
Hi,
I have to monitor all files inside one directory. But the tiny sized files are not getting into Splunk while all other files are duly getting indexed. i used CRCSalt parameters and Below is my config settings for inputs file.
[monitor://L:\XYZ.2.0\XYZlogs\*]
disabled = false
index = app_XYZ
sourcetype = _json
crcSalt = Source in greater than and less than sign
initCrcLength = 256
Please tell us what am I missing out on.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you ever resolve your problem? I am experiencing the same issue with very small files ( < 2KB ) that Splunk forwarder is missing/skipping. Sometimes, I can delete and re-create the log file and Splunk will pick it up but sometimes nothing will trigger the forwarder to send the file to the indexers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DId you ever resolve this issue? I am experiencing issues where Splunk forwarder sometimes misses very small ~2KB files.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have the setting wrong. Use this exactly (do NOT change anything at all):
crcSalt=<SOURCE>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes its indeed the same settings.
crcSalt=SOURCE with angular brackets
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you LITERALLY have this:
crcSalt=<SOURCE>
Or have you substituted the word SOURCE for something else like this:
crcSalt=</your/path/file>
YOU MUST NOT DO THE LATTER! YOU MUST DO THE FORMER!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes i have done the former setting only.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then it should work. Deploy to forwarders and restart splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are the files smaller than the 256 bytes?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
File size is like 1-5KBs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also i just discovered that few of the data is going into "lastchanceindex". Why is that the case.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
make sure the path is correct, try giving complete file name.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes path is accurate given other large files are duly getting indexed in splunk.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
