I am able to get XML field extraction, but it is delayed by around 3 hours, and the file keeps getting re-indexed (seek chkptr failed match). Here are my props:
[ontap]
TIME_PREFIX = SystemTime=\"
SHOULD_LINEMERGE = false
LINE_BREAKER = ()
MUST_BREAK_AFTER = \
KV_MODE = xml
Make sure you have global permissions on the TA or SA you are setting this in. Here is my metadata/local.meta
[]
access = read : [ * ], write : [ admin, yourothergroup, yourotherothergroup]
export = system
Is anyone getting a re-indexed file issue which leads to a long delay in making the data searchable? Since the files are large, I am assuming the re-indexing is causing the delay in search due to time/field extraction.
Here is what I am getting in splunkd.log on the UF:
ERROR TailReader - File will not be read, seekptr checksum did not match (file=\fileshare\audit_logs$\audit_last.xml). Last time we saw this initcrc, filename was different. You may wish to use larger initCrcLen for this sourcetype, or a CRC salt on this source. Consult the documentation or file a support case online at http://www.splunk.com/page/submit_issue for more info.
When I use crcSalt = I get the re-indexing issue, which leads to the delayed search results
From splunkd.log on UF
tailReader - ...continuing.
05-24-2016 15:50:58.127 -0400 INFO TailReader - Continuing...
05-24-2016 15:51:18.703 -0400 INFO WatchedFile - Checksum for seekptr didn't match, will re-read entire file='\fileshare\audit_logs$\audit_last.xml'.
05-24-2016 15:51:18.704 -0400 INFO WatchedFile - Will begin reading at offset=0 for file='\fileshare\audit_logs$\audit_last.xml'.
05-24-2016 15:51:19.205 -0400 INFO WatchedFile - Checksum for seekptr didn't match, will re-read entire file='\fileshare\audit_logs$\audit_last.xml'.
05-24-2016 15:51:24.208 -0400 INFO TailReader - Could not send data to output queue (parsingQueue), retrying...
05-24-2016 15:51:36.997 -0400 INFO TailReader - Could not send data to output queue (parsingQueue), retrying...
05-24-2016 15:52:26.751 -0400 INFO TailReader - Continuing...
05-24-2016 15:52:26.751 -0400 INFO TailReader - ...continuing.
... View more