https://community.splunk.com/t5/Splunk-Enterprise/Logging-issues/m-p/709455#M21381 <P>We are facing a log indexing issue with the log paths mentioned below. Previously, with the same inputs.conf configuration, logs were being ingested without issues, but suddenly, it stopped sending logs. Each log file contains logs for a single day, but splunk reports that it has already read these logs and skips them. Below is the inputs.conf configuration:<BR /><BR /></P> <LI-CODE lang="markup">[monitor://C:\Ticker\out\] whitelist = .*_Mcast2Msg\\logs\\.*log$ index = rtd disabled = false followTail = 0 ignoreOlderThan = 3d recursive = true sourcetype = rtd_mcast crcSalt = &lt;SOURCE&gt;</LI-CODE> <P>source path:</P> <LI-CODE lang="markup">C:\Ticker\out\Equiduct_Mcast2Msg\logs\EquiductTest-01-21-25.log C:\Ticker\out\Istanbul_Mcast2Msg\logs\Istanbul-01-16-25.log C:\Ticker\out\JSE_Mcast2Msg\logs\JSE-01-16-25.log C:\Ticker\out\JSE_Mcast2Msg\logs\JSEtst-01-17-25.log C:\Ticker\out\Warsaw_Mcast2Msg\logs\Warsaw-01-14-25.log</LI-CODE> <P><BR />_internal logs:</P> <LI-CODE lang="markup">01-21-2025 14:48:20.745 +0000 INFO WatchedFile [708 tailreader0] - Will begin reading at offset=105 for file='C:\Ticker\out\Equiduct_Mcast2Msg\logs\Equiduct-Limit-1-01-21-25.log'. 01-21-2025 14:48:13.586 +0000 INFO WatchedFile [708 tailreader0] - Will begin reading at offset=171 for file='C:\Ticker\out\Equiduct_Mcast2Msg\logs\Equiduct-Limit-1-01-20-25.log'. 01-21-2025 14:48:06.332 +0000 INFO WatchedFile [708 tailreader0] - Will begin reading at offset=66 for file='C:\Ticker\out\Istanbul_Mcast2Msg\logs\Istanbul-01-21-25.log'. 01-21-2025 14:47:57.650 +0000 INFO WatchedFile [708 tailreader0] - Will begin reading at offset=66 for file='C:\Ticker\out\Istanbul_Mcast2Msg\logs\Istanbul-01-20-25.log'. 01-21-2025 14:47:51.466 +0000 INFO WatchedFile [708 tailreader0] - Will begin reading at offset=65 for file='C:\Ticker\out\JSE_Mcast2Msg\logs\JSE-01-20-25.log'. 01-21-2025 14:47:45.271 +0000 INFO WatchedFile [708 tailreader0] - Will begin reading at offset=65 for file='C:\Ticker\out\JSE_Mcast2Msg\logs\JSE-01-21-25.log'. 01-21-2025 14:47:39.644 +0000 INFO WatchedFile [708 tailreader0] - Will begin reading at offset=114 for file='C:\Ticker\out\Warsaw_Mcast2Msg\logs\Warsaw-01-21-25.log'. 01-21-2025 14:47:35.855 +0000 INFO WatchedFile [708 tailreader0] - Will begin reading at offset=114 for file='C:\Ticker\out\Warsaw_Mcast2Msg\logs\Warsaw-01-20-25.log'. 01-21-2025 14:47:35.660 +0000 INFO TailingProcessor [6536 MainTailingThread] - Adding watch on path: C:\Ticker\out. 01-21-2025 14:47:35.659 +0000 INFO TailingProcessor [6536 MainTailingThread] - Parsing configuration stanza: monitor://C:\Ticker\out\. </LI-CODE> <P><BR />Issue Details:</P> <P>1) When we update the very first line of a log file, only the updated first line is ingested by Splunk, and the rest of the content is skipped.<BR />2) We have deleted the fishbucket, but the issue persists.<BR />3) Even after reinstalling the Splunk forwarder (version 8.2.12), the problem continues.<BR /><BR /></P> Wed, 22 Jan 2025 17:43:31 GMT dj064 2025-01-22T17:43:31Z https://community.splunk.com/t5/Splunk-Enterprise/Logging-issues/m-p/709455#M21381 <P>We are facing a log indexing issue with the log paths mentioned below. Previously, with the same inputs.conf configuration, logs were being ingested without issues, but suddenly, it stopped sending logs. Each log file contains logs for a single day, but splunk reports that it has already read these logs and skips them. Below is the inputs.conf configuration:<BR /><BR /></P> <LI-CODE lang="markup">[monitor://C:\Ticker\out\] whitelist = .*_Mcast2Msg\\logs\\.*log$ index = rtd disabled = false followTail = 0 ignoreOlderThan = 3d recursive = true sourcetype = rtd_mcast crcSalt = &lt;SOURCE&gt;</LI-CODE> <P>source path:</P> <LI-CODE lang="markup">C:\Ticker\out\Equiduct_Mcast2Msg\logs\EquiductTest-01-21-25.log C:\Ticker\out\Istanbul_Mcast2Msg\logs\Istanbul-01-16-25.log C:\Ticker\out\JSE_Mcast2Msg\logs\JSE-01-16-25.log C:\Ticker\out\JSE_Mcast2Msg\logs\JSEtst-01-17-25.log C:\Ticker\out\Warsaw_Mcast2Msg\logs\Warsaw-01-14-25.log</LI-CODE> <P><BR />_internal logs:</P> <LI-CODE lang="markup">01-21-2025 14:48:20.745 +0000 INFO WatchedFile [708 tailreader0] - Will begin reading at offset=105 for file='C:\Ticker\out\Equiduct_Mcast2Msg\logs\Equiduct-Limit-1-01-21-25.log'. 01-21-2025 14:48:13.586 +0000 INFO WatchedFile [708 tailreader0] - Will begin reading at offset=171 for file='C:\Ticker\out\Equiduct_Mcast2Msg\logs\Equiduct-Limit-1-01-20-25.log'. 01-21-2025 14:48:06.332 +0000 INFO WatchedFile [708 tailreader0] - Will begin reading at offset=66 for file='C:\Ticker\out\Istanbul_Mcast2Msg\logs\Istanbul-01-21-25.log'. 01-21-2025 14:47:57.650 +0000 INFO WatchedFile [708 tailreader0] - Will begin reading at offset=66 for file='C:\Ticker\out\Istanbul_Mcast2Msg\logs\Istanbul-01-20-25.log'. 01-21-2025 14:47:51.466 +0000 INFO WatchedFile [708 tailreader0] - Will begin reading at offset=65 for file='C:\Ticker\out\JSE_Mcast2Msg\logs\JSE-01-20-25.log'. 01-21-2025 14:47:45.271 +0000 INFO WatchedFile [708 tailreader0] - Will begin reading at offset=65 for file='C:\Ticker\out\JSE_Mcast2Msg\logs\JSE-01-21-25.log'. 01-21-2025 14:47:39.644 +0000 INFO WatchedFile [708 tailreader0] - Will begin reading at offset=114 for file='C:\Ticker\out\Warsaw_Mcast2Msg\logs\Warsaw-01-21-25.log'. 01-21-2025 14:47:35.855 +0000 INFO WatchedFile [708 tailreader0] - Will begin reading at offset=114 for file='C:\Ticker\out\Warsaw_Mcast2Msg\logs\Warsaw-01-20-25.log'. 01-21-2025 14:47:35.660 +0000 INFO TailingProcessor [6536 MainTailingThread] - Adding watch on path: C:\Ticker\out. 01-21-2025 14:47:35.659 +0000 INFO TailingProcessor [6536 MainTailingThread] - Parsing configuration stanza: monitor://C:\Ticker\out\. </LI-CODE> <P><BR />Issue Details:</P> <P>1) When we update the very first line of a log file, only the updated first line is ingested by Splunk, and the rest of the content is skipped.<BR />2) We have deleted the fishbucket, but the issue persists.<BR />3) Even after reinstalling the Splunk forwarder (version 8.2.12), the problem continues.<BR /><BR /></P> Wed, 22 Jan 2025 17:43:31 GMT https://community.splunk.com/t5/Splunk-Enterprise/Logging-issues/m-p/709455#M21381 dj064 2025-01-22T17:43:31Z https://community.splunk.com/t5/Splunk-Enterprise/Logging-issues/m-p/709461#M21382 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/273211">@dj064</a>&nbsp;<BR /><BR />My suggestion would be not use&nbsp;<SPAN>crcSalt setting for log rotation files. Can you please disable it and restart splunk to check status. also if you can share some log files with maksing imp data</SPAN></P><P>&nbsp;</P><P><SPAN>crcSalt = &lt;SOURCE&gt;</SPAN></P> Wed, 22 Jan 2025 14:42:57 GMT https://community.splunk.com/t5/Splunk-Enterprise/Logging-issues/m-p/709461#M21382 SanjayReddy 2025-01-22T14:42:57Z https://community.splunk.com/t5/Splunk-Enterprise/Logging-issues/m-p/709464#M21383 <P>Yes. crcSalt is rarely the way to go. The solution is usually to raise the initCrcLength value so that if you have a constant "header" in your file it's getting skipped.</P><P>As for your original question - there can be several different reasons for it. Try checking output of</P><PRE>splunk list monitor</PRE><P>and</P><PRE>splunk list inputstatus</PRE><P>regarding those problematic files</P> Wed, 22 Jan 2025 14:49:55 GMT https://community.splunk.com/t5/Splunk-Enterprise/Logging-issues/m-p/709464#M21383 PickleRick 2025-01-22T14:49:55Z